CN109716810A - Authority checking method and apparatus - Google Patents

Authority checking method and apparatus Download PDF

Info

Publication number
CN109716810A
CN109716810A CN201780056351.6A CN201780056351A CN109716810A CN 109716810 A CN109716810 A CN 109716810A CN 201780056351 A CN201780056351 A CN 201780056351A CN 109716810 A CN109716810 A CN 109716810A
Authority
CN
China
Prior art keywords
remote equipment
trunking
management entity
mobile management
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201780056351.6A
Other languages
Chinese (zh)
Other versions
CN109716810B (en
Inventor
应江威
邓强
黄正磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN109716810A publication Critical patent/CN109716810A/en
Application granted granted Critical
Publication of CN109716810B publication Critical patent/CN109716810B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W40/00Communication routing or communication path finding
    • H04W40/02Communication route or path selection, e.g. power-based or shortest path routing
    • H04W40/22Communication route or path selection, e.g. power-based or shortest path routing using selective relaying for reaching a BTS [Base Transceiver Station] or an access point
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • H04W48/04Access restriction performed under specific conditions based on user or terminal location or mobility data, e.g. moving direction, speed
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/14Direct-mode setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/04Terminal devices adapted for relaying to or from another terminal or user
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/005Discovery of network devices, e.g. terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/042Public Land Mobile systems, e.g. cellular systems
    • H04W84/047Public Land Mobile systems, e.g. cellular systems using dedicated repeater stations

Abstract

The embodiment of the present application provides a kind of authority checking method and apparatus.Wherein, this method comprises: the first radio resource control information of generation that trunking is sent according to remote equipment and sending it to base station, identify that remote equipment request accesses network by trunking according to first radio resource control information in base station, and the mark for the trunking that will acquire by original equipment message and the non-access layer information of remote equipment are sent to the mobile management entity of remote equipment, the mobile management entity of remote equipment receives and according to the verifying of the original equipment message trigger to the incidence relation of remote equipment and trunking, and after judging that the incidence relation is verified, initial context, which is sent, to base station establishes request message.The technical solution carries out authority checking to remote equipment and trunking using the mobile management entity of remote equipment, reduces network deployment requirement, reduces network overhead, improves verification efficiency.

Description

Authority checking method and apparatus Technical field
This application involves wireless communication technology field more particularly to a kind of authority checking method and apparatus.
Background technique
In evolved packet system (Evolved Packet System, abbreviation EPS), the remote equipments such as wearable device are connected in network by trunking, to achieve the purpose that reduce remote equipment power consumption.When remote equipment is connected in network by trunking, remote equipment needs to use the radio bearer of trunking, therefore need to complete the mapping of Deta bearer relationship between remote equipment and trunking on network, therefore, it is necessary to networks to verify the legitimacy of remote equipment and trunking and the incidence relation of remote equipment and trunking.
In the prior art, when trunking is that layer 3 relays, do not have to store the context relation of remote equipment in network, the data channel of remote equipment is not present between base station and network, the data of remote equipment are transmitted by the data channel of trunking with network in base station at this time.At this point, network realizes the verifying of incidence relation between remote equipment and trunking in the following way.Specifically, first, remote equipment is from short-range function entity (Proximity Service Function, abbreviation PF) obtain relaying discovery parameter and key management function entity (ProSe key Management Function, abbreviation PKMF) address, then discovery security parameter is obtained from PKMF according to the address PKMF, and sends key request to PKMF to obtain the root key for relayed communications;Secondly, trunking obtains the address of relaying discovery parameter and PKMF from PF, and discovery security parameter is obtained from PKMF;And if then remote equipment needs to access network, remote equipment and trunking by trunking and carries out discovery procedure based on the parameter obtained from PF;Then, after successfully completing discovery procedure, remote equipment sends communication request to trunking, transmission authorization and key request are relayed to trigger trunking to PKMF, whether PKMF allows to access network progress authorization check by trunking and generates short haul connection key to remote equipment, and includes the key response of the contents such as communication key, cipher generating parameter to trunking feedback.Cipher generating parameter is transmitted to remote equipment by trunking, remote equipment generates communication key according to cipher generating parameter, show that certification and authorization check pass through if the communication key that remote equipment side generates is consistent with the communication key that trunking receives, so that remote equipment can be connected to network by trunking.
However, remote equipment can also be connected to network by layer 2 relay, the difference relayed due to the protocol stack structure and layer 3 of layer 2 relay, when relaying equipment choosing layer 2 relay, base station be that remote equipment establishes the data channel of corresponding contextual information and remote equipment on core network, if still relaying corresponding authority checking method using layer 3 to verify the incidence relation between remote equipment and trunking at this time, it may require that the complexity for executing above-mentioned 3 scheme of layer cumbersome parameter configuration process and authorization check process, so that entire certification and the network deployment requirement of licensing process are high, network overhead is big, verification efficiency is low.
Summary of the invention
The embodiment of the present application provides a kind of authority checking method and apparatus, to solve the problems, such as that the certification of the incidence relation between remote equipment and trunking and licensing process network deployment requirement height, network overhead is big, verification efficiency is low.
The embodiment of the present application first aspect provides a kind of authority checking method, and this method is described from the angle of the mobile management entity of trunking, this method comprises: the mobile management entity of trunking receives setting including distal end for trunking transmission First request message of standby mark, and according to first request message, trigger the verifying to the incidence relation of remote equipment and trunking, and after judging that the incidence relation is verified, generate the first response message, first response message is sent to trunking, wherein, according to the first request message, trigger the verifying to the incidence relation of remote equipment and trunking, it include: the second request message that the mark including remote equipment is sent to the mobile management entity of remote equipment, and the mobile management entity for receiving remote equipment carries out the second response message sent after safe handling according to the second request message to remote equipment.
This method is directed to layer 2 relay equipment, devise the incidence relation proof scheme of a set of remote equipment and trunking, in verifying of the first request message triggering that the mobile management entity lateral root evidence of trunking is sent from trunking to the incidence relation of remote equipment and trunking, optionally, incidence relation verifying can be realized in the mobile management entity side of trunking, incidence relation verifying can also be realized in the mobile management entity side of remote equipment, it can be avoided the complexity of required execution in 3 trunking plan of existing layer cumbersome parameter configuration process and authorization check process in this way, so that 2 solution of layer of the application is compared with 3 solution of existing layer, reduce network deployment requirement, reduce network overhead, improve verification efficiency.
Optionally, the mobile management entity of the trunking is according to first request message, trigger the verifying to the incidence relation of the remote equipment and the trunking, further include: the mobile management entity of trunking obtains the first authorization message according to first request message, and according to the mark of remote equipment, the mark of trunking and first authorization message, verify whether that remote equipment is allowed to access network by trunking.Optionally, when incidence relation of the mobile management entity of trunking itself to verify remote equipment and trunking, its context for needing to obtain trunking first, the remote equipment list for having authorization relationship with the trunking is obtained from the context, that is the first authorization message, and then realize the verifying of incidence relation.After the mobile management entity of trunking knows the mark, the mark of trunking and above-mentioned first authorization message of remote equipment, judge in first authorization message whether include trunking and remote equipment incidence relation, when in first authorization message including the incidence relation of trunking and remote equipment, show that the remote equipment is allowed to access network by the trunking, otherwise, the remote equipment is not allowed to access network by the trunking.
Optionally, the mobile management entity of the trunking obtains the first authorization message according to first request message, it include: that first authorization message is obtained from user data management entity and/or short distance functional entity according to the mark of the trunking after the trunking is successfully registered to network.That is, after trunking is successfully registered to network, the first authorization message relevant to remote equipment of trunking is stored in network in user data management entity and/or short distance functional entity.For trunking the first authorization message relevant to remote equipment in user data management entity, the mobile management entity of trunking directly obtains above-mentioned first authorization message from user data management entity.And the mode of first authorization message is obtained from short distance functional entity for the mobile management entity of trunking, it can be with are as follows: when the mobile management entity of trunking can be communicated directly with short distance functional entity, there is direct interface between the two, the mobile management entity of trunking directly obtains above-mentioned first authorization message from short distance functional entity;And when the mobile management entity of trunking cannot be communicated directly with short distance functional entity, i.e., direct interface is not present between the two, then above-mentioned first authorization message is sent to the mobile management entity of trunking by HSS by short distance functional entity.
Optionally, if the first request message, further includes: relay services code;Then the mobile management entity of trunking is according to the first request message, trigger the verifying to the incidence relation of remote equipment and trunking, include: trunking mobile management entity according to the mark of remote equipment, the mark of trunking, relay services code and the first authorization message, verify whether that remote equipment is allowed to access network by trunking.
When it further includes relay services code that remote equipment, which is sent in the communication request of trunking, trunking integration is generated The first request message in also include relay services code, the relay services code is for characterizing the type of service to be requested of remote equipment, different relay services codes correspond to different types of service, therefore, trunking mobile management entity verifying remote equipment and trunking incidence relation when, also according to relay services code, the first authorization message at this time is that trunking has the remote equipment of authorization relationship and the relation list of corresponding relay services code.
Optionally, the authority checking method of the application, further include: the mobile management entity of trunking sent to short distance functional entity include the mark of remote equipment, the mark of trunking third request message so that short distance functional entity verifies whether that remote equipment is allowed to access network by trunking according to third request message.As an example, the implementation that the incidence relation of remote equipment and trunking is verified in mobile management entity triggering about terminal device, it itself can be verified in addition to the mobile management entity of trunking and send the second request message to the mobile management entity of remote equipment, so that the mobile management entity verifying of the remote equipment is outer, the mobile management entity of trunking can also send third request message to short distance functional entity, so that the short distance functional entity is verified.
Optionally, the authority checking method of the application, further include: the key and security parameter needed for the generation key that the mobile management entity of the mobile management entity reception remote equipment of trunking is sent, and security parameter needed for the key and generation key is sent to the trunking.
Remote equipment is wanted to be linked into network by trunking; the key that remote equipment and trunking need that there is protection to communicate between the two; so; the key that the mobile management entity that the mobile management entity of trunking also needs to receive remote equipment is sent and security parameter needed for the generation key; and trunking is sent it to, so that trunking holds the key and generates the required security parameter of the key.
Optionally, when the mobile management entity of trunking, the mobile management entity or short distance functional entity of remote equipment are to remote equipment and when being verified of trunking incidence relation, but security parameter needed for not carrying the key for protecting both remote equipment and trunking communication security in the second response message that the mobile management entity of trunking receives and generating key, so the mobile management entity of trunking sends secret key request message to security function entity, security function entity is then according to the mark of remote equipment in the secret key request message, it searches and obtains for security parameter needed for protecting the key of communication security between remote equipment and trunking and generating the key, and security parameter needed for the key and generation key is fed back to the mobile management entity of trunking, the shifting of last trunking Key and security parameter needed for the generation key are fed back to trunking again by dynamic management entity, so that trunking carries out respective handling to the key and security parameter.
In this way; even if security parameter needed for not carrying the key for protecting both remote equipment and trunking communication security in the first response message that the mobile management entity of trunking generates and generating key; trunking can also be got for security parameter needed for protecting the key of communication security between remote equipment and trunking and generating key, to guarantee that remote equipment can access network by the trunking
Optionally, in the first request message further include: the non-access layer information of remote equipment, non-access layer information check code when, the second request message further include: the check code of the non-access layer information of remote equipment, non-access layer information.At this point, the mobile management entity of remote equipment can also verify the non-access layer information of remote equipment, particularly the check code of the non-access layer information of remote equipment is verified according to the Non-Access Stratum contextual information of remote equipment.
The embodiment of the present application second aspect provides a kind of authority checking method, this method is described from the angle of the mobile management entity of remote equipment, this method comprises: the second request message of the mark including remote equipment that the mobile management entity that the mobile management entity of remote equipment receives trunking is sent, and safe handling is carried out to remote equipment according to the second request message, and after remote equipment carries out safe handling, the second response sent to the mobile management entity of trunking disappears Breath.
As an example, when the mobile management entity of trunking triggers the verifying to the incidence relation of remote equipment and trunking, the mobile management entity of the remote equipment can receive the second request message that the mobile management entity of trunking is sent, and safe handling is carried out to remote equipment according to the second request message or further verification processing is carried out to the incidence relation of remote equipment and trunking, and the second response message is generated according to the result of safe handling, and second response message is fed back to the mobile management entity of trunking.Authorization relationship is verified by the mobile management entity of remote equipment, reduces network deployment requirement, reduces network overhead, improve verification efficiency.
Optionally, the mobile management entity of remote equipment carries out safe handling to remote equipment according to the second request message, it include: the mobile management entity of remote equipment according to the second request message the second authorization message of acquisition, according to the mark of remote equipment, the mark of trunking and the second authorization message, verify whether that remote equipment is allowed to access network by trunking.Optionally, the mobile management entity of remote equipment obtains the second authorization message according to the second request message, include: the remote equipment mobile management entity after the remote equipment is successfully registered to network, second authorization message is obtained from user data management entity and/or short distance functional entity according to the mark of the remote equipment;The remote equipment is identified further according to the remote equipment in the second request message, is searched and is obtained the second authorization message in its contextual information.
The mobile management entity of remote equipment is after remote equipment is successfully registered to network, remote equipment the second authorization message relevant to trunking is stored in user data management entity and/or short distance functional entity in network, the second authorization message can be obtained from user data management entity and/or short distance functional entity according to the mark of remote equipment, and then can according to the mark of remote equipment, the mark of trunking and the second authorization message of acquisition, judge in second authorization message whether include remote equipment and trunking incidence relation.When in the second authorization message including the incidence relation of remote equipment and trunking, show that the remote equipment is allowed to access network by the trunking, otherwise, the remote equipment is not allowed to access network by the trunking.Optionally, the second authorization message is to have the list of the trunking of authorization relationship with remote equipment.
Optionally, if the second request message, further includes: relay services code;Then the mobile management entity of remote equipment carries out safe handling to the remote equipment according to the second request message, include: remote equipment mobile management entity according to the mark of the remote equipment, the mark of the trunking, the relay services code and second authorization message, verify whether to allow the remote equipment to access network by the trunking.At this point, the second authorization message is to have the trunking of authorization relationship and the relation list of corresponding relay services code with remote equipment.The mobile management entity of remote equipment increases relay services code when determining the incidence relation of remote equipment and trunking in decision condition in this way, that is, increases the type of service of remote equipment requested service, determines that result is more acurrate.
Optionally, the mobile management entity of remote equipment carries out safe handling to remote equipment according to the second request message, it include: the mobile management entity of remote equipment according to the mark of the remote equipment in the second request message, obtain the Non-Access Stratum contextual information of remote equipment, and verified according to check code of the Non-Access Stratum contextual information to the non-access layer information of remote equipment, the second request message includes: the mark of the non-access layer information of remote equipment, the check code of non-access layer information and remote equipment at this time.
In the present embodiment, in the first request message further include: the non-access layer information of remote equipment, non-access layer information check code when, also include: the check code of the non-access layer information of remote equipment, non-access layer information in the second request message.At this time, the mobile management entity of remote equipment can also verify the non-access layer information of remote equipment, particularly the check code of the non-access layer information of remote equipment is verified according to the Non-Access Stratum contextual information of remote equipment, in this way by checking the integrality of non-access layer information to complete the safety certification of remote equipment and trunking.
Optionally; the authority checking method; further include: the mobile management entity of remote equipment is according to the mark of remote equipment in the second request message; obtain the Non-Access Stratum contextual information of remote equipment; the key for protecting communication security between remote equipment and trunking is generated according to the Non-Access Stratum contextual information, by the key and security parameter needed for generating the key is sent to the mobile management entity of trunking.
In the present embodiment, in order to guarantee the communication security of remote equipment and trunking, the mark for the remote equipment that the mobile management entity of remote equipment communicates as needed obtains the Non-Access Stratum context message of the remote equipment, and security parameter needed for generating key is stored in the Non-Access Stratum context message.Furthermore; due to not direct communication general between the mobile management entity and trunking of remote equipment; so; after generating in the mobile management entity of remote equipment for protecting the key of communication security between remote equipment and trunking; it needs the key and security parameter needed for generating key is sent to the mobile management entity of trunking, and then it is made to be sent to trunking.
Optionally; the authority checking method; further include: the mobile management entity of remote equipment sends the secret key request message of the mark including remote equipment to security function entity; so that security function entity is according to the secret key request message; it obtains for security parameter needed for protecting the key of communication security between remote equipment and trunking and generating the key; and it is fed back to the mobile management entity of remote equipment, and then trunking is sent to by the mobile management entity of trunking.
Optionally, when the mobile management entity of trunking, the mobile management entity or short distance functional entity of remote equipment are verified the incidence relation of remote equipment and trunking, but the NAS message completeness check of remote equipment not over, or the NAS message of remote equipment does not have integrity protection, or first request message and the second request message do not carry the NAS message of remote equipment, it can then be obtained by security function entity for security parameter needed for protecting the key of communication security between remote equipment and trunking and generating the key, it can guarantee the normal communication between remote equipment and trunking.
The embodiment of the present application third aspect provides a kind of authority checking method, this method is described from the angle of trunking, this method comprises: trunking receives the communication request for the mark including remote equipment that remote equipment is sent, according to the communication request, generate the first request message, and the first request message is sent to the mobile management entity of trunking, and the first response message that the mobile management entity of trunking is sent after judging that incidence relation is verified is received, communication response is sent to the remote equipment according to first response message.
This method passes through in communication response characterization verifying relationship; and remote equipment, when generating the key for protecting both remote equipment and trunking communication security, remote equipment can be then connected in network by the trunking, and implementation is simple; network overhead is small, and verification efficiency is low.
Optionally; the authority checking method; further include: when what the mobile management entity that trunking receives trunking was sent is used to protect the key of communication security and security parameter needed for the generation key between remote equipment and trunking; it is above-mentioned that communication response is sent to the remote equipment according to first response message; it include: that security parameter is sent to the remote equipment by communication response by trunking, so that remote equipment generates the key for protecting communication security between remote equipment and trunking according to security parameter.
After security parameter needed for trunking receives key and generates key; then their own saves the key; and security parameter needed for generating key by way of communication response is sent to remote equipment, and such remote equipment can then generate the key of communication security between protection remote equipment and trunking according to the security parameter oneself.If the key agreement of the key of remote equipment side and trunking side, show that the certification and authorization check success, remote equipment between remote equipment and trunking can send data to network by trunking.
The embodiment of the present application fourth aspect provides a kind of authority checking method, this method is described from the angle of network side equipment, the network side equipment can be the mobile management entity of trunking, it is also possible to the mobile management entity of remote equipment, it can also be short distance functional entity, this method comprises: network side equipment receives the first request message of the mark including remote equipment that trunking is sent, according to first request message, trigger the verifying to the incidence relation of remote equipment and trunking, and after judging that the incidence relation is verified, the first response message is sent to trunking.
When the mobile management entity of the mobile management entity of remote equipment and trunking is the same mobile management entity, the mobile management entity of the mobile management entity of said distal ends equipment and trunking can be known as network side equipment, that is, the network side equipment in the present embodiment can pass through mobile management entity any one realization therein of the mobile management entity, trunking of remote equipment.Certainly, in one embodiment, which can also be realized by short distance functional entity.
Optionally, above-mentioned network side equipment is according to first request message, trigger the verifying to the incidence relation of the remote equipment and trunking, it include: the network side equipment according to the first request message, obtain the first authorization message, and according to the mark of remote equipment, the mark of trunking and the first authorization message, verify whether that the remote equipment is allowed to access network by the trunking.Wherein, network side equipment is according to the first request message, obtain the first authorization message, it include: after trunking, remote equipment are successfully registered to network, network side equipment obtains the first authorization message from user data management entity and/or short distance functional entity and is stored in remote equipment contextual information and/or in trunking contextual information;Then, network side equipment is according to the remote equipment mark and/or trunking identifier lookup the first authorization message of acquisition in the first request message.
In one embodiment, when the network side equipment is the mobile management entity of trunking, the network side equipment is after trunking is successfully registered to network, the first authorization message is obtained from user data management entity and/or short distance functional entity according to the mark of trunking, at this point, the first authorization message refers to the authorization message of trunking.
In another embodiment, when the network side equipment is the mobile management entity of remote equipment, the network side equipment is after remote equipment is successfully registered to network, first authorization message is obtained from user data management entity and/or short distance functional entity according to the mark of remote equipment, at this point, the first authorization message refers to the authorization message of remote equipment.
In another embodiment, when the network side equipment is short distance functional entity, the network side equipment is after remote equipment, trunking are successfully registered to network, the first authorization message is obtained from user data management entity and/or short distance functional entity respectively according to the mark of trunking, the mark of remote equipment, at this time, first authorization message had both included the authorization message of remote equipment, also included the authorization message of trunking.
Optionally, if the first request message, further includes: relay services code;Then network side equipment is according to the first request message, trigger the verifying to the incidence relation of remote equipment and trunking, include: network side equipment according to the mark of remote equipment, the mark of trunking, relay services code and the first authorization message, verifies whether that remote equipment is allowed to access network by trunking.
Optionally, network side equipment is according to the first request message, trigger the verifying to the incidence relation of remote equipment and trunking, it include: network side equipment to first movement management entity the second request message of transmission, so that first movement management entity verifies whether that remote equipment is allowed to access network by trunking according to the second request message;At this point, first movement management entity is the mobile management entity of short distance functional entity or remote equipment when network side equipment is the mobile management entity of trunking;Or network side equipment, when being the mobile management entity of remote equipment, first movement management entity is the mobile management entity of short distance functional entity or trunking;Or network side equipment be short distance functional entity when, first movement management entity be remote equipment mobile management entity or trunking mobile management entity.
Optionally, when the check code of non-access layer information and non-access layer information in the first request message including remote equipment, second request message includes: the non-access layer information of remote equipment, the check code of non-access layer information and the mark of remote equipment, then network side equipment is according to the first request message, trigger the verifying to the incidence relation of remote equipment and trunking, including: network side equipment sends the second request message to the mobile management entity of remote equipment, so that the mobile management entity of remote equipment carries out safe handling to remote equipment according to the second request message;At this point, network side equipment is the mobile management entity of trunking or network side equipment is short distance functional entity.
Optionally, when network side equipment is the mobile management entity of remote equipment, network side equipment receives the first request message that trunking is sent, it include: that network side equipment receives the first request message that trunking passes through base station forward process, first request message further include: the mark of trunking.
Optionally, first request message includes the non-access layer information of remote equipment and the check code of non-access layer information, network side equipment is according to the first request message, trigger the verifying to the incidence relation of remote equipment and trunking, it include: mark of the network side equipment according to remote equipment, the Non-Access Stratum contextual information of remote equipment is obtained, and the check code of non-access layer information is verified according to the Non-Access Stratum contextual information.
Optionally, the authority checking method further include: network side equipment sends the second request message to first movement management entity, so that mark of the first movement management entity according to remote equipment, obtain the Non-Access Stratum contextual information of remote equipment, and the key for protecting communication security between remote equipment and trunking is generated according to Non-Access Stratum contextual information, and key and security parameter needed for the generation key are fed back into network side equipment, network side equipment is by key and security parameter needed for generating the key is sent to trunking, to make trunking that security parameter is returned to remote equipment, remote equipment is set to generate the key for protecting communication security between remote equipment and trunking according to security parameter;At this point, network side equipment is the mobile management entity of trunking, first movement management entity is the mobile management entity of short distance functional entity or remote equipment.
Optionally, the authority checking method further include: network side equipment is according to the mark of remote equipment, obtain the Non-Access Stratum contextual information of remote equipment, and the key for protecting communication security between the remote equipment and the trunking is generated according to Non-Access Stratum contextual information, and the key is fed back to the mobile management entity of trunking and be transmitted to trunking with security parameter needed for generating key, so that the security parameter is returned to remote equipment by trunking, to make remote equipment generate the key for protecting communication security between the remote equipment and the trunking according to security parameter;At this point, network side equipment is the mobile management entity or short distance functional entity of remote equipment.
Optionally, the key is generated by the mobile management entity of the remote equipment according to the underlying security key of the remote equipment.
Optionally, the contextual information of the trunking is stored in the mobile management entity of the trunking, it is stored with the contextual information of the remote equipment in the mobile management entity of the remote equipment, the contextual information of the trunking and the contextual information of the remote equipment are stored in short distance functional entity.
Optionally; the authority checking method further include: network side equipment sends the secret key request message of the mark including remote equipment to security function entity; so that security function entity is according to the secret key request message; it obtains for security parameter needed for protecting the key of communication security between remote equipment and trunking and generating the key; and key and security parameter needed for the generation key are fed back into network side equipment; the secret key request message, comprising: the mark of the remote equipment.
The 5th aspect of the embodiment of the present application provides a kind of authority checking device, and described device includes the module or means (means) for executing method provided by the various implementations of above-mentioned first aspect and first aspect.
The 6th aspect of the embodiment of the present application provides a kind of authority checking device, and described device includes the module or means (means) for executing method provided by the various implementations of above-mentioned second aspect and second aspect.
The 7th aspect of the embodiment of the present application provides a kind of authority checking device, and described device includes the module or means (means) for executing method provided by the various implementations of the above-mentioned third aspect and the third aspect.
The embodiment of the present application eighth aspect provides a kind of authority checking device, and described device includes the module or means (means) for executing method provided by the various implementations of above-mentioned fourth aspect and fourth aspect.
The 9th aspect of the embodiment of the present application provides a kind of authority checking device, and described device includes processor and memory, and memory calls the program of memory storage for storing program, processor, the method to execute the offer of the application first aspect.
The tenth aspect of the embodiment of the present application provides a kind of authority checking device, and described device includes processor and memory, and memory calls the program of memory storage for storing program, processor, the method to execute the offer of the application second aspect.
The tenth one side of the embodiment of the present application provides a kind of authority checking device, and described device includes processor and memory, and memory calls the program of memory storage for storing program, processor, the method to execute the offer of the application third aspect.
The 12nd aspect of the embodiment of the present application provides a kind of authority checking device, and described device includes processor and memory, and memory calls the program of memory storage for storing program, processor, the method to execute the offer of the application fourth aspect.
The 13rd aspect of the embodiment of the present application provides a kind of authority checking device, at least one processing element (or chip) including the method for executing the above first aspect.
The embodiment of the present application fourteenth aspect provides a kind of authority checking device, at least one processing element (or chip) including the method for executing the above second aspect.
The 15th aspect of the embodiment of the present application provides a kind of authority checking device, at least one processing element (or chip) including the method for executing the above third aspect.
The 16th aspect of the embodiment of the present application provides a kind of authority checking device, at least one processing element (or chip) including the method for executing the above fourth aspect.
The 17th aspect of the embodiment of the present application provides a kind of program, method of the program when being executed by processor for executing the above first aspect.
The 18th aspect of the embodiment of the present application provides a kind of program product, such as computer readable storage medium, the program including the 17th aspect.
The 19th aspect of the embodiment of the present application provides a kind of program, method of the program when being executed by processor for executing the above second aspect.
The 20th aspect of the embodiment of the present application provides a kind of program product, such as computer readable storage medium, the program including the 19th aspect.
The 20th one side of the embodiment of the present application provides a kind of program, method of the program when being executed by processor for executing the above third aspect.
The 22nd aspect of the embodiment of the present application provides a kind of program product, such as computer readable storage medium, the program including the 20th one side.
The 23rd aspect of the embodiment of the present application provides a kind of program, which is used for execution or more when being executed by processor The method of fourth aspect.
The embodiment of the present application twenty-fourth aspect provides a kind of program product, such as computer readable storage medium, the program including the 23rd aspect.
The aspect of the embodiment of the present application the 25th provides a kind of authority checking method, this method be described from the angle of the mobile management entity of remote equipment, this method comprises:
The mobile management entity of remote equipment receives the original equipment message that base station is sent, and the original equipment message includes: the non-access layer information of remote equipment and the mark of trunking;
The mobile management entity of the remote equipment triggers the verifying to the incidence relation of the remote equipment and the trunking according to the original equipment message;
The mobile management entity of the remote equipment sends initial context to base station and establishes request message after judging that the incidence relation is verified.
Optionally, the mobile management entity of the remote equipment triggers the verifying to the incidence relation of the remote equipment and the trunking according to the original equipment message, comprising:
The mobile management entity of the remote equipment obtains authorization relation information according to the mark of the remote equipment;
The mobile management entity of the remote equipment according to the mark of the remote equipment, the mark of the trunking and the authorization relation information verifies whether that the remote equipment is allowed to access network by the trunking;
The mark of the remote equipment is included in the non-access layer information of the remote equipment and/or the mark of the remote equipment is included in the original equipment message.
Optionally, before the mobile management entity of the remote equipment receives the original equipment message that base station is sent, the mobile management entity of the remote equipment obtains the authorization relation information from user data management entity and/or short distance functional entity according to the mark of the remote equipment, and the authorization relation information is stored in the mobile management entity of the remote equipment.
Optionally, the mobile management entity of the remote equipment triggers the verifying to the incidence relation of the remote equipment and the trunking according to the original equipment message, comprising:
The mobile management entity of the remote equipment obtains the Non-Access Stratum contextual information of the remote equipment, and carry out completeness check to the non-access layer information of the remote equipment according to the mark of the remote equipment.
Optionally, the method also includes:
The mobile management entity of the remote equipment obtains the Non-Access Stratum contextual information of the remote equipment according to the mark of the remote equipment;
The mobile management entity of the remote equipment generates the key for protecting communication security between the remote equipment and the trunking according to the Non-Access Stratum contextual information;
The key is established request message by the initial context and is sent to the base station by the mobile management entity of the remote equipment with security parameter needed for generating the key.
Optionally, the method also includes:
The mobile management entity of the remote equipment sends the first checking request message to the mobile management entity of the trunking, so that the mobile management entity of the trunking verifies the incidence relation of the remote equipment and the trunking according to the first checking request message, the first checking request message includes: the mark of the remote equipment and the mark of the trunking.
Optionally, the method also includes:
The mobile management entity of the remote equipment sends secret key request message to security function entity, so that the safety Functional entity is according to the secret key request message; it obtains for security parameter needed for protecting the key of communication security between the remote equipment and the trunking and generating the key; and security parameter needed for the key and the generation key is fed back to the mobile management entity of the remote equipment; the secret key request message, comprising: the remote equipment mark.
The aspect of the embodiment of the present application the 26th provides a kind of authority checking method, this method be described from the angle of base station, this method comprises:
Base station receives the first radio resource control information that trunking is sent, and first radio resource control information includes the non-access layer information of remote equipment;
The base station is according to first radio resource control information, identify that remote equipment request accesses network by the trunking, the mark of the trunking is obtained, and the non-access layer information of the mark of the trunking and the remote equipment is sent to the mobile management entity of remote equipment by original equipment message;
The initial context that the mobile management entity that the base station receives the remote equipment is sent after the incidence relation for judging the remote equipment and the trunking is verified establishes request message;
It is that the remote equipment establishes contextual information, and sends the second radio resource control information to the trunking that request message is established according to the initial context in the base station.
Optionally, the base station obtains the mark of the trunking, comprising:
The base station obtains the mark of the trunking from the mark or the base station for obtaining the trunking in the contextual information of the trunking of the base station stored from first radio resource control information.
Optionally, the mark of the remote equipment is included in the non-access layer information of the remote equipment and/or the mark of the remote equipment is included in the original equipment message.
Optionally, the method, further includes:
Request message is established according to the initial context in the base station, establishes the mapping relations of the remote equipment and the trunking.
Optionally, when the mobile management entity of the remote equipment is generated for protecting the key of communication security between the remote equipment and the trunking, the method also includes:
What the mobile management entity that the base station receives the trunking was sent is used to protect the key of communication security and security parameter needed for the generation key between the remote equipment and the trunking.
Optionally, the method, further includes:
The base station sends third radio resource control information to the remote equipment; so that the remote equipment generates the key for protecting communication security between the remote equipment and the trunking according to the third radio resource control information; the third radio resource control information, comprising: security parameter needed for generating the key.
The aspect of the embodiment of the present application the 27th provides a kind of authority checking method, this method be described from the angle of trunking, this method comprises:
Trunking receives the communication request that remote equipment is sent;
The trunking generates the first radio resource control information according to the communication request, and first radio resource control information is sent to base station;
It is that the remote equipment establishes the second radio resource control information sent after contextual information that the trunking, which receives the base station, allows the remote equipment to access network by the trunking to be determined according to second radio resource control information.
Optionally, this method further include:
The mark of the trunking is sent to the base station by first radio resource control information by the trunking, so that identification of base stations remote equipment request accesses network by the trunking.
Optionally, the method, further includes:
Second radio resource control information that the trunking is sent according to the base station, establishes the mapping relations of the remote equipment and the trunking.
Optionally, second radio resource control information, comprising: for protecting the key of communication security between the remote equipment and the trunking.
The embodiment of the present application twenty-eighth aspect provides a kind of authority checking device, and described device includes the module or means (means) for executing method provided by the various implementations of above-mentioned 25th aspect and the 25th aspect.
The 29th aspect of the embodiment of the present application provides a kind of authority checking device, and described device includes the module or means (means) for executing method provided by the various implementations of above-mentioned 26th aspect and the 26th aspect.
The 30th aspect of the embodiment of the present application provides a kind of authority checking device, and described device includes the module or means (means) for executing method provided by the various implementations of above-mentioned 27th aspect and the 27th aspect.
The 30th one side of the embodiment of the present application provides a kind of authority checking device, and described device includes processor and memory, and memory calls the program of memory storage for storing program, processor, to execute the method that the 25th aspect of the application provides.
The 32nd aspect of the embodiment of the present application provides a kind of authority checking device, and described device includes processor and memory, and memory calls the program of memory storage for storing program, processor, to execute the method that the 26th aspect of the application provides.
The 33rd aspect of the embodiment of the present application provides a kind of authority checking device, and described device includes processor and memory, and memory calls the program of memory storage for storing program, processor, to execute the method that the 27th aspect of the application provides.
The 34th aspect of the embodiment of the present application provides a kind of authority checking device, at least one processing element (or chip) including the method for executing above 25th aspect.
The 35th aspect of the embodiment of the present application provides a kind of authority checking device, at least one processing element (or chip) including the method for executing above 26th aspect.
The 36th aspect of the embodiment of the present application provides a kind of authority checking device, at least one processing element (or chip) including the method for executing above 27th aspect.
The 37th aspect of the embodiment of the present application provides a kind of program, method of the program when being executed by processor for executing above 25th aspect.
The 38th aspect of the embodiment of the present application provides a kind of program product, such as computer readable storage medium, the program including the 37th aspect.
The 39th aspect of the embodiment of the present application provides a kind of program, method of the program when being executed by processor for executing above 26th aspect.
The 40th aspect of the embodiment of the present application provides a kind of program product, such as computer readable storage medium, the program including the 39th aspect.
The 40th one side of the embodiment of the present application provides a kind of program, method of the program when being executed by processor for executing above 27th aspect.
The 42nd aspect of the embodiment of the present application provides a kind of program product, such as computer readable storage medium, the program including the 40th one side.
In the above various aspects, trunking receives the communication request that remote equipment is sent, and the first radio resource control information is generated according to the communication request, and send it to base station, base station receives first radio resource control information, first radio resource control information includes the non-access layer information of remote equipment, and according to first radio resource control information, identify that remote equipment request accesses network by trunking, obtain the mark of the trunking, and the non-access layer information of the mark of trunking and remote equipment is sent to the mobile management entity of remote equipment by original equipment message, the mobile management entity of remote equipment receives and according to the original equipment message in this way, trigger the verifying to the incidence relation of remote equipment and trunking, and after judging that the incidence relation is verified, it is sent out to base station Initial context is sent to establish request message, establishing request message according to the initial context to base station is that remote equipment establishes contextual information, and the second radio resource control information is sent to trunking, last trunking is determined according to second radio resource control information allows remote equipment to access network by trunking.The technical solution of the application is directed to layer 2 relay equipment, devise the incidence relation proof scheme of a set of remote equipment and trunking, avoid the complexity of required execution in 3 trunking plan of existing layer cumbersome parameter configuration process and authorization check process, so that 2 solution of layer of the application is compared with 3 solution of existing layer, network deployment requirement is reduced, reduces network overhead, improve verification efficiency.
Detailed description of the invention
Fig. 1 is the interaction figure of authority checking embodiment of the method one provided by the embodiments of the present application;
Fig. 2 is the flow chart of authority checking embodiment of the method two provided by the embodiments of the present application;
Fig. 3 is the flow chart of authority checking embodiment of the method three provided by the embodiments of the present application;
Fig. 4 is the flow chart of authority checking embodiment of the method four provided by the embodiments of the present application;
Fig. 5 is the flow chart of authority checking embodiment of the method five provided by the embodiments of the present application;
Fig. 6 is the interaction figure of authority checking embodiment of the method six provided by the embodiments of the present application;
Fig. 7 is the interaction figure of authority checking embodiment of the method seven provided by the embodiments of the present application;
Fig. 8 is the flow chart of authority checking embodiment of the method eight provided by the embodiments of the present application;
Fig. 9 is the flow chart of authority checking embodiment of the method nine provided by the embodiments of the present application;
Figure 10 is the flow chart of authority checking embodiment of the method ten provided by the embodiments of the present application;
Figure 11 is the interaction figure of authority checking embodiment of the method 11 provided by the embodiments of the present application;
Figure 12 is the interaction figure of authority checking embodiment of the method 12 provided by the embodiments of the present application;
Figure 13 is the interaction figure of authority checking embodiment of the method 13 provided by the embodiments of the present application;
Figure 14 is the interaction figure of authority checking embodiment of the method 14 provided by the embodiments of the present application;
Figure 15 is the interaction figure of authority checking embodiment of the method 15 provided by the embodiments of the present application;
Figure 16 is a kind of structural schematic diagram of authority checking device provided by the embodiments of the present application;
Figure 17 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application;
Figure 18 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application;
Figure 19 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application;
Figure 20 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application;
Figure 21 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application;
Figure 22 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application;
Figure 23 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application;
Figure 24 is the interaction figure of authority checking embodiment of the method 16 provided by the embodiments of the present application;
Figure 25 is the flow diagram of authority checking embodiment of the method 17 provided by the embodiments of the present application;
Figure 26 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application;
Figure 27 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application;
Figure 28 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application.
Specific embodiment
Hereinafter, the part term in the embodiment of the present application is explained, in order to those skilled in the art understand that:
Remote equipment: can be a kind of wireless terminal, can refer to the equipment for providing a user voice and/or other business datum connectivity, has the handheld device of wireless connecting function or is connected to other processing equipments of radio modem.In order to reduce power consumption, remote equipment generally passes through trunking and is linked into network.Remote equipment is referred to as system, subscriber unit (Subscriber Unit), subscriber station (Subscriber Station), movement station (Mobile Station), mobile station (Mobile), distant station (Remote Station), remote terminal (Remote Terminal), access terminal (Access Terminal), user terminal (User Terminal), user agent (User Agent), user equipment (User Device or User Equipment), is not limited thereto.
Trunking: also referred to as relay, the instrument and equipment being connected among remote equipment and network, it can be and provide the equipment of relaying in wireless network level (such as PDCP layers) for the network connection of remote equipment, it is also possible to be connected to the instrument and equipment among remote equipment and network, it can amplify the signal of transmission and can retransmit, so as to avoid decaying of the signal in transmission process, the reliability of transmission is effectively improved.Trunking is also construed as constructively realizing the InterWorking Equipment of network in physical layer, the embodiment of the present application and specific manifestation form misaligned after equipment is defined.
Mobility management entity (Mobile Managenment Entity, abbreviation MME): major function is to support Non-Access Stratum (Non Access stratum, abbreviation NAS) signaling and its safety, the management of tracking zone list, grouped data network gateway (Packet Data Network Gateway, abbreviation P-GW) and gateway (Serving Gateway, abbreviation S-GW) selection, the selection of MME is carried out when across MME switching, Serving GPRS Support Node (Service GPRS Support Node is being carried out into 2G/3G access system handoff procedure, abbreviation SGSN) selection, user Authentication, Roaming control and bearer management, 3GPP different access networks core network node between mobile management and UE accessibility management in an idle state.MME in the embodiment of the present application may include the MME of the MME of trunking, remote equipment, the MME of trunking refers to the MME of the current service trunking, the MME of remote equipment refers to the MME of the current service remote equipment, functionally, two MME are not different, therefore, the MME of the MME of current service trunking and current service remote equipment can be the same MME, and the MME being related in all embodiments of the application refers generally to such MME.The application is also not excluded for another kind of MME, that is, the MME of trunking refers to referring to dedicated for the MME of service relay equipment, the MME of remote equipment dedicated for the MME of server remote equipment, and at this time functionally, two MME may different froms;It can certainly include integrating the MME function of the MME and remote equipment of trunking in the MME of one.These MME may be used to verify whether that remote equipment is allowed to access network by trunking.The MME can also be the mobile management function to ps domain entity in the following 5G network, such as access mobile management function to ps domain entity (access and mobility management function, abbreviation AMF).
Base station: also known as wireless access network (Radio Access Network, RAN) equipment, it is a kind of equipment that terminal is linked into wireless network, it can be global system for mobile telecommunications (Global System of Mobile communication, abbreviation GSM) or CDMA (Code Division Multiple Access, abbreviation CDMA) in base station (Base Transceiver Station, abbreviation BTS), it is also possible to wideband code division multiple access (Wideband Code Division Multiple Access, abbreviation WCDMA) in base station (No DeB, abbreviation NB), it can also be long term evolution (Long Term Evolution, abbreviation LTE) in evolved base station (Evolutional Node B, abbreviation eNB or eNodeB), perhaps the base station etc. in relay station or access point or future 5G network, does not limit herein.
In the embodiment of the present application, " multiple " refer to two or more."and/or" describes the incidence relation of affiliated partner, indicates may exist three kinds of relationships, for example, A and/or B, can indicate: individualism A exists simultaneously A and B, these three situations of individualism B.Character "/" typicallys represent the relationship that forward-backward correlation object is a kind of "or".
In all embodiments of the application, if the MME of the MME of current service trunking and current service remote equipment is the same MME, the interaction between two MME can be omitted or belong to interaction inside MME.
Fig. 1 is the interaction figure of authority checking embodiment of the method one provided by the embodiments of the present application.The embodiment of the present application is illustrated with the interaction of the mobile management entity of trunking, terminal device mobile management entity and trunking.As shown in Figure 1, authority checking method provided by the embodiments of the present application may include steps of:
Step 101, trunking receive the communication request that remote equipment is sent.
As an example, which includes: the mark of remote equipment.
It optionally, further include one or several in the following contents in the communication request: non-access layer information, the relay services code (Relay service code), the first random number of remote equipment.Optionally, which is that remote equipment generates, and can directly be carried in communication request.Optionally, if there is the first random number, first random number is further included in the non-access layer information of remote equipment, rather than is directly carried in communication request.
In the embodiment of the present application, remote equipment is chosen as wearable device (wearable device, abbreviation WD), the remote equipment (WD) wishes to be connected in network by trunking (relay), the incidence relation of trunking and remote equipment is verified to need to realize before allowing remote equipment to be linked into network by trunking.
Optionally, before the communication request that trunking receives that remote equipment is sent, trunking and remote equipment need to complete following discovery procedure, specifically, trunking and remote equipment are required to be linked into the configuration parameter for obtaining in network and being used for discovery procedure, to realize the mutual discovery procedure between remote equipment and trunking according to these configuration parameters.
Optionally, remote equipment sends communication request to trunking, and the mark for carrying remote equipment is at least needed in the communication request.
As an example, the mark of remote equipment can be directly contained in communication request.As another example, if communication request also includes the NAS message of remote equipment, then the mark of remote equipment can also be encapsulated in the NAS message of oneself by remote equipment, at this point, including the mark of the remote equipment in communication request in the NAS message for the remote equipment for including.As another example, the mark of remote equipment can also be included in simultaneously in the NAS message of the remote equipment in communication request and in communication request.Therefore, communication request include remote equipment mark way of realization can there are many, the embodiment of the present application is simultaneously not limited thereof.
In the embodiment of the present application; optionally; MAC-I check value is carried in the NAS message of remote equipment, the MME for remote equipment carries out integrity protection according to the NAS safe context of remote equipment, and the MME of remote equipment can authenticate remote equipment by verifying the MAC-I of the NAS message.
It is worth noting that the mark of remote equipment described in the embodiment of the present application may include at least two different shapes Formula, wherein a kind of form is suitable for carrying out authority checking, and the mobile management entity that another form is suitable for trunking finds the mobile management entity of remote equipment and the contextual information for obtaining remote equipment.For example, optionally, the remote equipment mark in communication request includes mark 1, which finds the mobile management entity of remote equipment for the mobile management entity of trunking;Remote equipment mark in communication request includes mark 2, which realizes for the mobile management entity of trunking or the mobile management entity of remote equipment carries out authority checking to the incidence relation of trunking and remote equipment;It include the remote equipment mark in the NAS message of remote equipment including identifying 3, mark 3 is for obtaining the contextual informations of remote equipment, and optionally, mark 1 can be the same mark with identifying 3.There is no the concrete forms of the mark to remote equipment to distinguish in the present embodiment.
Optionally, mark 1 and mark 3 can be global unique interim UE mark (Globally Unique Temporary UE Identity, abbreviation GUTI), or international mobile subscriber identity (International Mobile Subscriber Identity, abbreviation IMSI), or interim identity (Temporary Mobile Subscriber Identity, abbreviation TMSI) etc..Optionally, mark 2 can be the mark of short distance functional entity distribution.
Step 102, trunking generate the first request message according to communication request.
First request message includes: the mark of remote equipment.Optionally, Non-Access Stratum (NAS) message of first request message between trunking (relay) and mobile management entity (MME).
As an example, after trunking receives the communication request of remote equipment, the related content of the communication request can be encapsulated into the first request message of oneself.
As another example, the related content of communication request can also be both encapsulated into the first request message of oneself by trunking, also other relevant parameters required for the incidence relation for verifying remote equipment and trunking are integrated into the first request message, such as, it optionally, can also include the mark of trunking in first request message.
Specifically, it is encapsulated into the related content in the first request message, the mark including the remote equipment in step 101, it is also possible to the NAS message including the remote equipment in step 101.Optionally, communication request in a step 101 further include relay services code (Relay service code) perhaps the first random number when the related content that is encapsulated into the first request message further include the relay services code or the first random number.Relay services code is for characterizing the type of service to be requested of remote equipment, the verifying for remote equipment and trunking incidence relation.First random number is that remote equipment generates, and for the generation of subsequent key, the specific generating mode about key is referring to the record in subsequent step 502.Wherein, the carrying mode of the first random number can be with reference to mode described in step 101.
First request message is sent to the mobile management entity of trunking by step 103, trunking.
After trunking generates the first request message according to communication request, just it is sent to the mobile management entity of trunking, the incidence relation of remote equipment and trunking is verified according to the content trigger of the first request message by the mobile management entity of trunking.
Mobile management entity the first request message of reception of step 104, trunking.
Content in first request message is referring to the record in step 102.
Step 105, trunking mobile management entity according to first request message, trigger the verifying to the incidence relation of remote equipment and trunking.
Optionally, in the embodiment of the application, after the mobile management entity of trunking receives the first request message of trunking transmission, any one in following a variety of operations can be executed.The first operation: verifying of the mobile management entity of trunking according to the content trigger in the first request message itself to the incidence relation of remote equipment and trunking;Second of operation: content in the first request message is sent to remote equipment by the mobile management entity of trunking Mobile management entity perhaps short distance functional entity so that the mobile management entity or short distance functional entity of remote equipment carry out further safe handling;The third operation: the first operation and the corresponding content of second of operation are executed.
Optionally, the mobile management entity of trunking according to the third operation execute when, the embodiment of the present application do not limit the first operation and second operation execute sequence.Such as, verifying of the mobile management entity of the first operation trunking according to the content trigger in the first request message itself to the incidence relation of remote equipment and trunking, it can be placed in following steps 105d and execute, optionally, the verifying of the incidence relation of remote equipment and trunking may use the information returned in following steps 105c step, such as the mark IMSI of remote equipment.
Step 106, trunking mobile management entity after judging that incidence relation is verified, generate the first response message, and send first response message to trunking.
Optionally, in the embodiment of the present application, the mobile management entity judges incidence relation of trunking is verified, can specifically include following at least one: the mobile management entity of trunking itself judgement show that the incidence relation of remote equipment and trunking is verified, the incidence relation of the mobile management entity judges remote equipment of remote equipment and trunking is verified or the judgement of short distance functional entity show that the incidence relation of remote equipment and trunking is verified.
As an example, when the verifying of the incidence relation of remote equipment and trunking only needs any one place in the mobile management entity of trunking, the mobile management entity of remote equipment or short distance functional entity to verify, and when incidence relation is verified, the first response message can be generated, and first response message is fed back into trunking.
As another example, when the incidence relation of remote equipment and trunking verifying need in the mobile management entity of trunking, the mobile management entity of remote equipment or short distance functional entity any two at or three at verify when, it is verified at only corresponding two or at three, just show that incidence relation is verified, at this time, the mobile management entity of trunking generates the first response message, and feeds back to trunking.
Step 107, trunking receive first response message.
As an example, when the incidence relation of remote equipment and trunking is verified, security parameter needed for the key for protecting both remote equipment and trunking communication security can be carried in first response message and generates key.
As another example, when the incidence relation of remote equipment and trunking is verified, but the NAS message completeness check of remote equipment not over, or the NAS message of remote equipment does not have integrity protection, or first request message and the second request message do not carry the NAS message of remote equipment, so MME (MME of trunking or the MME of remote equipment) then sends secret key request message to security function entity, to obtain for security parameter needed for protecting the key of communication security between remote equipment and the trunking and generating the key.
As another example, in the incidence relation authentication failed of remote equipment and trunking, the reason of may include unsuccessfully in first response message etc. parameters.
It is worth noting that above-mentioned about the specific comprising content of the first response message, the embodiment of the present application is simultaneously not limited thereof.
Step 108, trunking send communication response to remote equipment according to the first response message.
Optionally, the result of the incidence relation verifying between remote equipment and trunking can be generated communication response according to the first response message received and be sent to terminal device by trunking, a kind of result form of expression of the communication response as above-mentioned communication request.Optionally; if security parameter needed for carrying the key for protecting both remote equipment and trunking communication security in the first response message and generating key; then comprising security parameter needed for generating key in communication response, so that remote equipment similarly generates the key for protecting both remote equipment and trunking communication security.
When communication response characterization verifying relationship passes through, and remote equipment generates the key for protecting both remote equipment and trunking communication security, remote equipment can be then connected in network by the trunking.
Optionally, in the embodiment of the application, above-mentioned steps 105 can be realized by step 105a, correspondingly, the authority checking method of the embodiment of the present application, further includes step 105b~step 105d.
Step 105a, the mobile management entity of trunking sends the second request message to the mobile management entity of remote equipment.
Second request message includes: the mark of remote equipment.
As an example, when the mobile management entity of trunking triggers the verifying to the incidence relation of remote equipment and trunking, also the second request message can be sent to the mobile management entity of remote equipment according to the mark of remote equipment in the first request message, so that the mobile management entity of remote equipment carries out safe handling to remote equipment according to the second request message or carries out further verification processing to the incidence relation of remote equipment and trunking.
Optionally, second request message further include: the mark of trunking.The mark of the trunking and the mark of remote equipment are realized for the MME of remote equipment and carry out authority checking to the incidence relation of trunking and remote equipment.
Optionally, in second request message trunking mark can in the following way in any one mode get: one, the mobile management entity of trunking can be obtained from the trunking contextual information of its storage inside, and then be encapsulated into the second request message;Second, the mobile management entity of trunking can also be got from the first request message reported when in the first request message including the mark of trunking.Specific acquisition modes the embodiment of the present application of mark about trunking does not limit specifically.
Optionally, second request message further include: the NAS message of the remote equipment obtained from the first request message.Optionally, which further includes the first random number that remote equipment generates.Wherein, the carrying mode of the content of NAS message and the first random number can be with reference to the method in step 101.
Optionally, it include the mark of remote equipment in first request message, the mark of the remote equipment finds the MME of remote equipment for the MME of trunking, specifically, the MME of trunking determines the MME of remote equipment according to the mark of the remote equipment, and then is sent to it the second request message.Herein, the concrete embodiment form of the mark of remote equipment is referring to the record in step 101, and details are not described herein again,
Step 105b, the mobile management entity of remote equipment receives the second request message, and carries out safe handling to remote equipment according to the second request message.
Optionally, if the second request message includes: Non-Access Stratum (NAS) message of the remote equipment obtained from the first request message, which may include the integrity verification to the NAS message of remote equipment.
Optionally, which also may include the mark of the mark and/or remote equipment according to the trunking in the second request message, the verifying to the incidence relation of remote equipment and trunking.
Optionally; the MME of remote equipment can also be according to the mark of remote equipment in the second request message; the Non-Access Stratum contextual information of remote equipment is obtained, and the key for protecting communication security between remote equipment and trunking is generated according to the Non-Access Stratum contextual information.Optionally, which can be GUTI or TMSI or IMSI etc.;Specifically, reference can be made to record in step 101, details are not described herein again.The MME of the acquisition modes of mark about remote equipment, remote equipment can be directly acquired directly from the second request message, or be obtained from the NAS message of the remote equipment carried in the second request message.
Optionally, when the incidence relation of remote equipment and trunking is verified, but the NAS message completeness check of remote equipment does not have integrity protection or the first request message and not over the NAS message of perhaps remote equipment Two request messages do not carry the NAS message of remote equipment; so MME of remote equipment then sends secret key request message to security function entity, to obtain for security parameter needed for protecting the key of communication security between remote equipment and the trunking and generating the key.
Optionally; in step 105b; (first) key that the MME of remote equipment is generated can be used for PC5 mouthfuls of communications protection directly as PC5 port communications key; that is Relay directly carries out safeguard protection (such as to communication response according to (first) key received; integrity protection); then correspondingly; also the security parameter according to needed for the generation key received generates (first) key to WD; that is PC5 port communications key; then safety verification (e.g., integrity verification) is carried out to communication response message.Optionally, PC5 port communications key may be (second) key that Relay is further generated according to MME (first) key generated of remote equipment in step 105c, that is Relay generates (second) key according to (first) key received, as PC5 port communications key, safeguard protection is carried out (such as to communication response, integrity protection), then correspondingly, after WD security parameter according to needed for the generation key received generates (first) key, (second) key is generated further according to (first) key, being somebody's turn to do (second) key is PC5 port communications key, then safety verification is carried out (such as to communication response message, integrity verification).
Step 105c, the mobile management entity of remote equipment is after carrying out safe handling to remote equipment, to the second response message of the mobile management entity of trunking transmission.
After the mobile management entity of remote equipment carries out safe handling to remote equipment according to the content of the second request message, the second response message is generated according to the result of safe handling, and second response message is fed back to the mobile management entity of trunking.
Optionally, security parameter needed for including key when the MME of remote equipment is generated for protecting the key of communication security between remote equipment and trunking, in second response message and generating the key.
Optionally, the received key of the mobile management entity of trunking is equivalent to a kind of form of expression of the second response message content with security parameter needed for generation key.Optionally, which may include the non-access layer information that the mobile management entity of remote equipment generates.Optionally; non-access layer information in second response message carries out integrity protection using the NAS safe context of remote equipment; and trunking is sent to by the mobile management entity of trunking and is sent to remote equipment, so that remote equipment authenticates network by the integrity verification to the non-access layer information.Optionally, the cipher generating parameter may be embodied in the non-access layer information.
Step 105d, the mobile management entity of trunking receives second response message.
Authority checking method provided by the embodiments of the present application, trunking receives the communication request that remote equipment is sent, it include the mark of terminal device in the communication request, and according to the communication request, it generates the first request message and the first request message is sent to the mobile management entity of trunking, the mobile management entity of trunking receives first request message, and verifying of the triggering to the incidence relation of remote equipment and trunking, and the second request message is sent to the mobile management entity of remote equipment, the mobile management entity of remote equipment receives second request message, and safe handling is carried out to remote equipment according to second request message, and after carrying out safe handling to remote equipment, the second response message sent to the mobile management entity of trunking, the mobile management entity of trunking receives second response Message, and the first response message is generated after judging that above-mentioned incidence relation is verified, and be sent to trunking, trunking sends communication response to remote equipment according to first response message.The technical solution of the application, for layer 2 relay equipment, devise the incidence relation proof scheme of a set of remote equipment and trunking, avoid the complexity of required execution in 3 trunking plan of existing layer cumbersome parameter configuration process and authorization check process, so that 2 solution of layer of the application is compared with 3 solution of existing layer, network deployment requirement is reduced, reduces network overhead, improve verification efficiency.
On the basis of embodiment shown in Fig. 1, Fig. 2 is the flow chart of authority checking embodiment of the method two provided by the embodiments of the present application.As shown in Figure 2, in authority checking method provided by the embodiments of the present application, above-mentioned steps 105 (mobile management entity of trunking triggers the verifying to the incidence relation of remote equipment and trunking according to first request message) may also include the steps of:
Step 201, trunking mobile management entity according to the first request message obtain the first authorization message.
Specifically, when incidence relation of the mobile management entity of trunking itself to verify remote equipment and trunking, its context for needing to obtain trunking first, obtains the remote equipment list for having authorization relationship with the trunking, i.e. the first authorization message from the context.
Optionally, as an example, the mobile management entity of trunking obtains first authorization message from user data management entity and/or short distance functional entity according to the mark of trunking after trunking is successfully registered to network.
In the present embodiment, after trunking is successfully registered to network, trunking the first authorization message relevant to remote equipment is stored in user data management entity and/or short distance functional entity in network.For trunking the first authorization message relevant to remote equipment in user data management entity, the mobile management entity of trunking directly from user data management entity (such as, home subscriber server (Home Subscriber Server, abbreviation HSS), or, user data management entity (User data manangement, abbreviation UDM) in 5G system) obtain above-mentioned first authorization message.And the mode of first authorization message is obtained from short distance functional entity for the mobile management entity of trunking, it can be with are as follows: when the mobile management entity of trunking can be communicated directly with short distance functional entity, there is direct interface between the two, the mobile management entity of trunking directly obtains above-mentioned first authorization message from short distance functional entity;And when the mobile management entity of trunking cannot be communicated directly with short distance functional entity, i.e., direct interface is not present between the two, then above-mentioned first authorization message is sent to the mobile management entity of trunking by HSS by short distance functional entity.
Step 202, trunking mobile management entity according to the mark of remote equipment, the mark of trunking and above-mentioned first authorization message, verify whether that remote equipment is allowed to access network by the trunking.
Before incidence relation verifying, the mobile management entity of trunking obtains the mark of trunking first.The acquisition modes of mark about trunking, for details, reference can be made to record in above-mentioned steps 105a, i.e., optionally, the mobile management entity of trunking can be obtained from the first request message reported from the mobile management entity of acquisition or trunking in its storage inside list, and details are not described herein again.
After the mobile management entity of trunking knows the mark, the mark of trunking and above-mentioned first authorization message of remote equipment, judge in first authorization message whether include trunking and remote equipment incidence relation, when in first authorization message including the incidence relation of trunking and remote equipment, show that the remote equipment is allowed to access network by the trunking, otherwise, the remote equipment is not allowed to access network by the trunking.
Authority checking method provided by the embodiments of the present application, when the mobile management entity of trunking is according to first request message, when triggering the verifying to the incidence relation of remote equipment and trunking, the first authorization message can be obtained according to the first request message, and then according to the mark of remote equipment, the mark of trunking and above-mentioned first authorization message, verify whether that remote equipment is allowed to access network by the trunking.Incidence relation verification method in this way is simple, easy to accomplish.
Optionally, on the basis of embodiment shown in Fig. 1, as an example, when the first request message, further includes: When relay services code, above-mentioned steps 105 can be realized by following possible implementation, specific as follows:
The mobile management entity of trunking obtains the first authorization message according to the first request message, and according to the mark of remote equipment, the mark of trunking, relay services code and the first authorization message, verify whether that the remote equipment is allowed to access network by trunking.At this point, the first authorization message is to have the remote equipment of authorization relationship and the relation list of corresponding relay services code with trunking.
When it further includes relay services code that remote equipment, which is sent in the communication request of trunking, it also include relay services code in the first request message that trunking integration generates, the relay services code is for characterizing the type of service to be requested of remote equipment, different relay services codes correspond to different types of service, so, in the present embodiment, when the incidence relation of the mobile management entity verifying remote equipment of trunking and trunking, also according to relay services code.Specifically, the mobile management entity of trunking according to the mark of remote equipment, the mark of trunking, relay services code and the first authorization message, verifies whether that the remote equipment is allowed to access network by trunking.
In fact, the step is further limited to embodiment illustrated in fig. 2, only decision condition increases relay services code.For the first authorization message acquisition modes referring to the record in step 201, for trunking mark acquisition modes referring to the record in step 105a, details are not described herein again.
Optionally, on the basis of the above embodiments, authority checking method provided by the embodiments of the present application, further includes following steps.
The mobile management entity of trunking sends third request message to short distance functional entity, so that short distance functional entity verifies whether that remote equipment is allowed to access network by trunking according to the third request message.
Wherein, third request message includes: the mark of remote equipment, the mark of trunking.
As an example, the implementation that the incidence relation of remote equipment and trunking is verified in mobile management entity triggering about terminal device, it itself can be verified in addition to the mobile management entity of trunking and send the second request message to the mobile management entity of remote equipment, so that the mobile management entity verifying of the remote equipment is outer, the mobile management entity of trunking can also send third request message to short distance functional entity, so that the short distance functional entity is verified.
It is worth noting that including at least mark, the mark of trunking of remote equipment in the third request message.Optionally, the mark of remote equipment, the mark of trunking can be got from the first request message reported in third request message.Optionally, when in communication request including relay services code, it may include relay services code in the first request message, the second request message and third request message.Optionally, relay services code participates in the verifying of remote equipment and trunking incidence relation for characterizing the type of service to be requested of remote equipment.
Further, based on any of the above embodiments, Fig. 3 is the flow chart of authority checking embodiment of the method three provided by the embodiments of the present application.As shown in figure 3, authority checking method provided by the embodiments of the present application further includes following steps:
Step 301, trunking mobile management entity to security function entity send secret key request message; so that the security function entity is according to secret key request message; it obtains for security parameter needed for protecting the key of communication security between remote equipment and trunking and generating key, and security parameter needed for key and generation key is fed back to the mobile management entity of trunking.
The secret key request message, comprising: the mark of remote equipment.
Step 302, trunking mobile management entity is by key and security parameter needed for generating the key is sent to trunking.
As an example, when the mobile management entity of trunking, the mobile management entity or short distance functional entity of remote equipment are to remote equipment and when being verified of trunking incidence relation, but security parameter needed for not carrying the key for protecting both remote equipment and trunking communication security in the second response message that the mobile management entity of trunking receives and generating key, so the mobile management entity of trunking sends secret key request message to security function entity, security function entity is then according to the mark of remote equipment in the secret key request message, it searches and obtains for security parameter needed for protecting the key of communication security between remote equipment and trunking and generating the key, and security parameter needed for the key and generation key is fed back to the mobile management entity of trunking, finally relaying is set Key and security parameter needed for the generation key are fed back to trunking again by standby mobile management entity, so that trunking carries out respective handling to the key and security parameter.
In this way; even if security parameter needed for not carrying the key for protecting both remote equipment and trunking communication security in the second response message that the mobile management entity of trunking receives and generating key; trunking can also be got for security parameter needed for protecting the key of communication security between remote equipment and trunking and generating key, to guarantee that remote equipment can access network by the trunking.
On the basis of embodiment shown in Fig. 1, Fig. 4 is the flow chart of authority checking embodiment of the method four provided by the embodiments of the present application.As shown in Figure 4, in authority checking method provided by the embodiments of the present application, above-mentioned steps 105b (mobile management entity of remote equipment receives the second request message, and carries out safe handling to remote equipment according to the second request message) may particularly include following steps:
Step 401, remote equipment mobile management entity according to the second request message obtain the second authorization message.
Specifically, the mobile management entity of remote equipment obtains the second authorization message from user data management entity and/or short distance functional entity after remote equipment is successfully registered to network, according to the mark of remote equipment.
This step is similar with above-mentioned steps 201, difference is step 201 for obtaining the remote equipment list for having authorization relationship with the trunking, that is the first authorization message, and this step is used to obtain the trunking list for having authorization relationship with the remote equipment, i.e. the second authorization message.It is similar, after remote equipment is successfully registered to network, the second authorization message relevant to trunking of remote equipment is stored in network in user data management entity and/or short distance functional entity.For trunking the second authorization message relevant to remote equipment in user data management entity, the mobile management entity of remote equipment directly obtains above-mentioned second authorization message from user data management entity.And the mode of second authorization message is obtained from short distance functional entity for the mobile management entity of remote equipment, it can be with are as follows: there are when direct interface between the mobile management entity and short distance functional entity of remote equipment, the mobile management entity of remote equipment directly obtains above-mentioned second authorization message from short distance functional entity;And when direct interface is not present between the mobile management entity of remote equipment is communicated with short distance functional entity, then the mobile management entity of remote equipment obtains second authorization message by HSS from short distance functional entity.
Step 402, remote equipment mobile management entity according to the mark of remote equipment, the mark of trunking and the second authorization message, verify whether that remote equipment is allowed to access network by trunking.
It is similar with above-mentioned steps 202, the mobile management entity of remote equipment is when verifying the incidence relation of remote equipment and trunking, the mobile management entity of remote equipment according to the mark of remote equipment, the mark of trunking and the second authorization message of acquisition, judge in second authorization message whether include remote equipment and trunking incidence relation.When in the second authorization message including the incidence relation of remote equipment and trunking, show that the remote equipment is allowed to access network by the trunking, otherwise, the remote equipment is not allowed to access network by the trunking.
As an example, in the second request message, further include: when relay services code, the specific implementation of above-mentioned steps 105b (mobile management entity of remote equipment receives the second request message, and carries out safe handling to remote equipment according to the second request message) is as follows:
The mobile management entity of remote equipment according to the mark of remote equipment, the mark of trunking, relay services code and the second authorization message verifies whether that remote equipment is allowed to access network by trunking.At this point, the second authorization message is to have the trunking of authorization relationship and the relation list of corresponding relay services code with remote equipment.
The step is the further explanation to above-mentioned steps 402, decision condition increases relay services code, increase the type of service of remote equipment requested service, similar with the mode that the mobile management entity of trunking verifies the incidence relation of remote equipment and trunking according to the mark of remote equipment, the mark of trunking, relay services code and the first authorization message about specific decision procedure, details are not described herein again.
Optionally, as shown in figure 4, above-mentioned steps 105b further includes following steps in authority checking method provided by the embodiments of the present application:
Step 403: the mobile management entity of remote equipment is according to the mark of the remote equipment in the second request message, the Non-Access Stratum contextual information of remote equipment is obtained, and is verified according to check code of the Non-Access Stratum contextual information to the non-access layer information of remote equipment.
Wherein, the second request message includes: the check code of the non-access layer information of remote equipment, non-access layer information.
In the present embodiment, in the first request message further include: the non-access layer information of remote equipment, non-access layer information check code when, also include: the check code of the non-access layer information of remote equipment, non-access layer information in the second request message.At this point, the mobile management entity of remote equipment can also verify the non-access layer information of remote equipment, particularly the check code of the non-access layer information of remote equipment is verified according to the Non-Access Stratum contextual information of remote equipment.
It is worth noting that, the execution of above-mentioned steps 401, step 402 and step 403 is that the mobile management entity of remote equipment carries out a kind of optional way of safe handling to remote equipment, namely, in one embodiment, the mobile management entity of remote equipment can execute one or more of step 401, step 402 and step 403, moreover, when executing multiple steps, what the embodiment of the present application did not limited each step yet executes sequence.
Authority checking method provided by the embodiments of the present application, the mobile management entity of remote equipment obtains the second authorization message not only according to the second request message, also when the second request message further includes relay services code, according to the mark of remote equipment, the mark of trunking, relay services code and the second authorization message, it verifies whether that remote equipment is allowed to access network by trunking, furthermore, also according to the mark of the remote equipment in the second request message, obtain the Non-Access Stratum contextual information of remote equipment, and it is verified according to check code of the Non-Access Stratum contextual information to the non-access layer information of remote equipment, in this way by checking the integrality of non-access layer information to complete the safety certification of remote equipment and trunking.
Further, on the basis of the above embodiments, Fig. 5 is the flow chart of authority checking embodiment of the method five provided by the embodiments of the present application.As shown in figure 5, in authority checking method provided by the embodiments of the present application, further includes:
Step 501, remote equipment mobile management entity according to the mark of remote equipment in the second request message, obtain the Non-Access Stratum contextual information of remote equipment.
In the present embodiment, in order to guarantee the communication security of remote equipment and trunking, the mark for the remote equipment that the mobile management entity of remote equipment communicates as needed obtains the Non-Access Stratum context message of the remote equipment, and security parameter needed for generating key is stored in the Non-Access Stratum context message.
Step 502, remote equipment mobile management entity according to the Non-Access Stratum contextual information generate for protect distal end set The key of the standby communication security between trunking.
In order to realize the communication security of remote equipment and trunking, the mobile management entity of remote equipment can generate the key for protecting communication security between remote equipment and trunking according to the Non-Access Stratum contextual information.Optionally, in the communication request that remote equipment is sent when subsidiary first random number, the mobile management entity of remote equipment is using the first random number as the input parameter for generating the key.Wherein, the first random number is that remote equipment generates.Optionally, when the mobile management entity of remote equipment generates the second random number, the mobile management entity of remote equipment is using the second random number as the input parameter for generating the key.Optionally, first random number is to be encapsulated in be sent to trunking by remote equipment with communication request, it is then encapsulated into the mobile management entity for being sent to trunking in the first request message by trunking, is finally sent to the mobile management entity of remote equipment by the second request message by the mobile management entity of trunking.
Optionally; the mobile management entity of remote equipment obtains the safe context of remote equipment NAS message according to the mark of remote equipment; the safe context for being then based on NAS message generates key for protecting communication security between remote equipment and trunking; that is, cipher generating parameter is the parameter in the safe context of remote equipment NAS message.Optionally, further, security parameter needed for generating key can be the key Kasme in the safe context of remote equipment NAS message.Optionally, security parameter needed for generating key can also include other parameters, for example, the first random number that the second random number and/or WD that MME-WD is generated generate.
Step 503, remote equipment mobile management entity is by the key and security parameter needed for generating key is sent to the mobile management entity of trunking.
Specifically; due to not direct communication general between the mobile management entity and trunking of remote equipment; so; after generating in the mobile management entity of remote equipment for protecting the key of communication security between remote equipment and trunking; it needs the key and security parameter needed for generating key is sent to the mobile management entity of trunking, and then it is made to be sent to trunking.Optionally, since the first random number is that remote equipment oneself generates, it is not required to obtain when can be subsequently generated key, so, security parameter needed for generation key described in the embodiment of the present application mainly includes the second random number, and in the non-access layer information of second random number mobile management entity that is encapsulated in remote equipment.
Correspondingly, mobile management entity and trunking side in trunking, also need to be implemented corresponding receive and operate.Referring in particular to content shown in step 504.
Step 504, trunking mobile management entity receive remote equipment mobile management entity send key and generate key needed for security parameter.
Optionally, the received key of the mobile management entity of trunking is equivalent to a kind of form of expression of the second response message content with security parameter needed for generation key.Optionally, which may include the non-access layer information that the mobile management entity of remote equipment generates.Optionally; non-access layer information in second response message carries out integrity protection using the NAS safe context of remote equipment; and trunking is sent to by the mobile management entity of trunking and is sent to remote equipment, so that remote equipment authenticates network by the integrity verification to the non-access layer information.Optionally, the cipher generating parameter may be embodied in the non-access layer information.
Step 505, trunking mobile management entity is by key and security parameter needed for generating the key is sent to trunking.
Remote equipment is wanted to be linked into network by trunking; the key that remote equipment and trunking need that there is protection to communicate between the two; so; the mobile management entity of trunking also needs the key that will be received and generates the key required security parameter to be sent to trunking, so that trunking holds the key and generates the required security parameter of the key.
Step 506, trunking are received for security parameter needed for protecting the key of communication security between the remote equipment and trunking and generating key.
Correspondingly, above-mentioned steps 108 can be replaced step 507:
Step 507: security parameter is sent to remote equipment by communication response by trunking, so that remote equipment generates the key for protecting communication security between remote equipment and trunking according to security parameter.
After the security parameter needed for trunking receives key and generates key; then their own saves the key; and security parameter needed for generating key by way of communication response is sent to remote equipment, and such remote equipment can then generate the key of communication security between protection remote equipment and trunking according to the security parameter oneself.If the key agreement of the key of remote equipment side and trunking side, show that the certification and authorization check success, remote equipment between remote equipment and trunking can send data to network by trunking.
Authority checking method provided by the embodiments of the present application, the mobile management entity of remote equipment is according to the mark of remote equipment in the second request message, generate the key for protecting communication security between remote equipment and trunking, and security parameter needed for the key and generation key is sent to the mobile management entity of trunking, the mobile management entity of trunking is by the key received and security parameter needed for generating the key is sent to trunking, security parameter is sent to remote equipment by communication response again by trunking, so that remote equipment generates the key for protecting communication security between remote equipment and trunking according to security parameter, remote equipment is when accessing network by trunking in this way, making can be by the safety using cryptographic key protection short haul connection, it is highly-safe.
Optionally, in authority checking provided by the embodiments of the present application request, when the mobile management entity of trunking, the mobile management entity or short distance functional entity of remote equipment are verified the incidence relation of remote equipment and trunking, but the mobile management entity of remote equipment is not carried out the operation that key is generated in above-mentioned steps 502, namely when the NAS message for not carrying remote equipment in the communication request that remote equipment is sent to trunking, or remote equipment is sent to the NAS message that remote equipment is carried in the communication request of trunking but the completeness check failure of the NAS message, or the NAS message that remote equipment is sent to carrying remote equipment in the communication request of trunking does not have integrity protection, the mobile management entity of so remote equipment can also carry out following operation:
The mobile management entity of remote equipment sends secret key request message to security function entity; so that security function entity is according to secret key request message; it obtains for security parameter needed for protecting the key of communication security between remote equipment and trunking and generating the key, and is fed back to the mobile management entity of remote equipment.
Wherein, secret key request message, comprising: remote equipment mark.
The mobile management entity of trunking sends secret key request message to security function entity in the step and above-mentioned embodiment illustrated in fig. 3; similar to obtain the step of key of communication security is with security parameter needed for generation key between protection remote equipment and trunking, details are not described herein again.
In conjunction with above embodiments, following embodiments are illustrated the entire flow of authority checking method.Remote equipment is in the following figure with wearable device (WD), trunking (Relay), the mobile management entity (MME-WD) of remote equipment, the mobile management entity (MME-relay) of trunking, base station (eNB), home subscriber server (Home SubscriberServer, abbreviation HSS) and short distance functional entity (ProSe Function, abbreviation PF) etc. be illustrated.
Fig. 6 is the interaction figure of authority checking embodiment of the method six provided by the embodiments of the present application.As shown in fig. 6, authority checking method provided by the embodiments of the present application, comprising:
Step 601, WD and Relay are successfully registered to network.
Step 602, WD send communication request to Relay.
It include the NAS message of remote equipment in the communication request, about the record of step 101 in the other content in communication request referring to Fig.1 illustrated embodiment, details are not described herein again.
Step 603, Relay generate the first request message, and first request message is issued MME-relay.
Specifically, the content in the communication request of WD is encapsulated into the NAS message of oneself by Relay, that is, generate the first request message.Optionally, NAS message of first request message between trunking (relay) and mobile management entity (MME).
Step 604, MME-relay verify the incidence relation of Relay and WD according to first request message.
Optionally, after MME-relay receives the first request message of Relay transmission, any one or a few in following a variety of operations can be executed.The first operation: verifying of the MME-relay according to the content trigger in the first request message itself to the incidence relation of Relay and WD;Second of operation: MME-relay by content in the first request message be sent to MME-WD perhaps PF so that MME-WD or PF carry out further safe handling;The third operation: the first operation and the corresponding content of second of operation are executed.
The record in the specific implementation embodiment shown in Figure 1 of the incidence relation of Relay and WD in step 105 is verified according to first request message for MME-relay, details are not described herein again.
Step 605, MME-relay send the second request message to MME-WD.
About the record of step 105a in the content embodiment shown in Figure 1 in the second request message, details are not described herein again.
Wherein, MME-relay can find corresponding MME-WD according to the WD ID carried in the first request message.
Step 606, MME-WD verify the integrality of the second request message, verify to the incidence relation of Relay and WD, generate key.
One or more of optionally, after MME-WD receives the second request message, can perform the following operations: the integrality of the second request message of verifying verifies the incidence relation of Relay and WD, generates key.The key is the key for protecting communication security between remote equipment and trunking.
Wherein, the key can be PC5 port communications key, generate key needed for security parameter include: the first random number (optional), MME-WD generation the second random number (optional), foundation key (such as,) and relay services code (Relay service code) (optional) Kasme, optionally, the second random number is encapsulated in the second NAS message and finally returns that WD.The step 502 in concrete operations embodiment shown in Figure 5 generated about key, details are not described herein again.
Step 607, MME-WD are by key and security parameter needed for generating key returns to MME-relay.
Optionally, when MME-WD is generated for protecting the key of communication security between remote equipment and trunking, MME-WD is then returned to MME-relay.Or when incidence relation of the MME-WD to Relay and WD is verified, the result after verifying is fed back into MME-relay.
Optionally, security parameter needed for generating key refers mainly to the second random number that the mobile management entity of remote equipment generates.At this point, optionally, which is encapsulated in the NAS message of oneself and is sent to MME-relay by MME-WD.
Security parameter needed for key and generation key is returned to relay by the first response message by step 608, MME-relay.
Security parameter needed for step 609, relay receive the key and generate key, security parameter needed for generating key issue WD by communication response.
The security parameter needed for relay receives key (for example, PC5 communication key) and generates key, then show that the certification and authorization to WD and relay pass through, WD can carry out business by relay.
Step 610, WD carry out integrity verification to communication response, and the security parameter according to needed for generating key generates key.
Optionally, the second NAS message that the mobility management entity in communication response including remote equipment generates, then specifically, WD carries out integrity verification to the second NAS message in communication response.
Optionally; in step 606; (first) key that MME-WD is generated can be used for PC5 mouthfuls of communications protection directly as PC5 port communications key; that is Relay directly carries out safeguard protection (such as to communication response according to (first) key received; integrity protection); then correspondingly; also the security parameter according to needed for the generation key received generates (first) key to WD; that is PC5 port communications key; then safety verification (e.g., integrity verification) is carried out to communication response message.Optionally, PC5 port communications key may be (second) key that Relay is further generated according to (first) key generated of MME-WD in step 606, that is Relay generates (second) key according to (first) key received, as PC5 port communications key, safeguard protection is carried out (such as to communication response, integrity protection), then correspondingly, after WD security parameter according to needed for the generation key received generates (first) key, (second) key is generated further according to (first) key, being somebody's turn to do (second) key is PC5 port communications key, then safety verification is carried out (such as to communication response message, integrity verification).
Optionally, it can be indicated in the form of buddy list or type of service about the incidence relation of remote equipment and trunking:
Buddy list: for example, Relay ID:WD1 ID, WD2 ID ....
Type of service: for example, WD ID:(relay service code1:service1-1, service1-2 ...);(relay service code2:service2-1,service2-2,…);…….
It is worth noting that above-mentioned incidence relation can also be that other types of permission, the embodiment of the present application are not construed as limiting.
In addition, the authority checking method of the application may be also noted that following several points:
Optionally, first: the incidence relation verifying in step 604 and step 606 may only need to be implemented one of them, it is also possible to be carried out at two.
Optionally, second: being that optionally, i.e., may not be needed to generate key in step 606 for protecting the key of communication security between remote equipment and trunking.At this time, above-mentioned first random number and the second random number are not needed to generate yet and be transmitted, but what the NAS message of remote equipment and the NAS message of MME-WD still needed to transmit, effect is to complete the safety certification between WD and relay by the integrality for checking the NAS message of remote equipment.
Optionally; third: if for protecting the key of communication security between remote equipment and trunking to need to generate; optionally; interaction between WD and MME-WD may also not need to be encapsulated in NAS message; that is the first random number and WD ID do not need to be encapsulated in the NAS message of remote equipment, and the second random number does not need to be encapsulated in the NAS message of MME-WD yet.
Optionally, 4th: if WD ID is not included in the NAS message of the remote equipment in communication request, then in step 604 and step 605, it does not include WD ID in the NAS message of first request message and the remote equipment in the second request yet, at this time, in step 605, a cell of the WD ID as communication request.
The realization principle of each step referring to figs. 1 to 5 record by related in embodiment in the present embodiment, and details are not described herein again.
Fig. 7 is the interaction figure of authority checking embodiment of the method seven provided by the embodiments of the present application.As shown in fig. 7, the application is real The authority checking method for applying example offer is similar with embodiment illustrated in fig. 6, and difference is only that PF can also carry out authority checking.Optionally, as shown in fig. 7, the step 604 in above-mentioned Fig. 6 can be replaced step 701~703, step 606 replaces with step 704.
Step 701, MME-relay send third request message to PF according to the first request message.
Wherein, third request message includes: the mark of remote equipment, the mark of trunking.It optionally, further include relay services code in third request message.
Step 702, PF verify the incidence relation of Relay and WD and generate third response message.
Specifically, PF is verified according to incidence relation of the third request message to Relay and WD.Optionally, trunking the first authorization message relevant to remote equipment and remote equipment the second authorization message relevant with trunking are stored in user data management entity and/or short distance functional entity in network, therefore, after PF receives third request message, the incidence relation of trunking and remote equipment is verified according to the mark of remote equipment and the mark of trunking.
Step 703, PF feed back third response message to MME-relay.
The third response message is the result of PF verifying.
Step 704, MME-WD verify the integrality of the second request message, and generate for security parameter needed for protecting the key of communication security between remote equipment and trunking and generating key.
About MME-WD to the record in step 501 and step 502 in the generation method embodiment shown in Figure 5 of the verifying and key of the second request message integrality, details are not described herein again.
It is worth noting that the authority checking method of the application is other than needing to pay attention to the several points that embodiment illustrated in fig. 6 needs to pay attention to, it is also necessary to note:
Relay APP ID (mark of trunking client): WD1 app ID (mark of the first remote equipment client), WD2 app ID ....
Optionally, Fig. 8 is the flow chart of authority checking embodiment of the method eight provided by the embodiments of the present application.As shown in figure 8, authority checking method provided by the embodiments of the present application, comprising:
Step 801, network side equipment receive the first request message that trunking is sent.
First request message includes: the mark of remote equipment.
Step 802, network side equipment trigger the verifying to the incidence relation of remote equipment and trunking according to first request message.
Step 803, the network side equipment send the first response message after judging that above-mentioned incidence relation is verified, to trunking.
It is worth noting that, when the mobile management entity of remote equipment in above-described embodiment and the mobile management entity of trunking are integrated on the same mobile management entity, the mobile management entity of the mobile management entity of said distal ends equipment and trunking can be known as network side equipment, that is, the network side equipment in the present embodiment can pass through mobile management entity any one realization therein of the mobile management entity, trunking of remote equipment.
Optionally, in another embodiment of the application, which can also be realized by short distance functional entity.
In the embodiment of the present application, verifying of the first request message triggering that the mobile management entity of trunking is sent according to the trunking received to the incidence relation of remote equipment and trunking, referring specifically to the record of step 101 in embodiment illustrated in fig. 1 to step 106, verifying of the mobile management entity of remote equipment to the incidence relation of remote equipment and trunking, referring specifically to the record of step 105a in embodiment illustrated in fig. 1 to step 105d, implementing principle and technical effect with Mobile management entity, the implementation of the mobile management entity of trunking of remote equipment in embodiment illustrated in fig. 1 are similar, and details are not described herein again.Short distance functional entity is similar with the verification method of the mobile management entity of trunking, remote equipment to the verifying of the incidence relation of remote equipment and trunking, also repeats no more herein.
Optionally, on the basis of embodiment shown in Fig. 8, Fig. 9 is the flow chart of authority checking embodiment of the method nine provided by the embodiments of the present application.As shown in figure 9, in authority checking method provided by the embodiments of the present application, above-mentioned steps 802 (network side equipment triggers the verifying to the incidence relation of remote equipment and trunking according to first request message), comprising:
Step 901, network side equipment obtain the first authorization message according to the first request message.
Specifically, the network side equipment obtains the first authorization message according to the first request message, from user data management entity and/or short distance functional entity after trunking, remote equipment are successfully registered to network.
In one embodiment, when the network side equipment is the mobile management entity of trunking, the network side equipment is after trunking is successfully registered to network, the first authorization message is obtained from user data management entity and/or short distance functional entity according to the mark of trunking, at this point, the first authorization message refers to the authorization message of trunking.Optionally, the specific acquisition methods of the authorization message of trunking are referring to the record in step 201, and details are not described herein again.
In another embodiment, when the network side equipment is the mobile management entity of remote equipment, the network side equipment is after remote equipment is successfully registered to network, first authorization message is obtained from user data management entity and/or short distance functional entity according to the mark of remote equipment, at this point, the first authorization message refers to the authorization message of remote equipment.Optionally, the specific acquisition methods of the authorization message of remote equipment are referring to the record in step 401, and details are not described herein again.
In another embodiment, when the network side equipment is short distance functional entity, the network side equipment is after remote equipment, trunking are successfully registered to network, the first authorization message is obtained from user data management entity and/or short distance functional entity respectively according to the mark of trunking, the mark of remote equipment, at this time, first authorization message had both included the authorization message of remote equipment, also included the authorization message of trunking.
Step 902, network side equipment according to the mark of remote equipment, the mark of trunking and the first authorization message verify whether that remote equipment is allowed to access network by the trunking.
The technical solution of the present embodiment, the technical solution for allowing remote equipment by trunking access network is verified whether with trunking in embodiment illustrated in fig. 2, or it verifies whether to allow remote equipment similar by the trunking access technical solution of network with remote equipment in embodiment illustrated in fig. 4, referring specifically to the record in Fig. 2 and embodiment illustrated in fig. 4, details are not described herein again.
Further, when above-mentioned first request message, further includes: when relay services code, above-mentioned steps 802 (network side equipment triggers the verifying to the incidence relation of remote equipment and trunking according to first request message) can be replaced following steps:
Network side equipment according to the mark of remote equipment, the mark of trunking, relay services code and the first authorization message verifies whether that remote equipment is allowed to access network by trunking.
Optionally, when network side equipment is the mobile management entity of trunking, the specific implementation of the step is referring to the record in step 202, when network side equipment is the mobile management entity of remote equipment, the specific implementation of the step is referring to the record in step 402, the verification method of short distance functional entity is similar, and for details, reference can be made to the records in Fig. 2 and embodiment illustrated in fig. 4, and details are not described herein again.
As an example, in the embodiment shown in fig. 8, above-mentioned steps 802 (network side equipment triggers the verifying to the incidence relation of remote equipment and trunking according to first request message), it may include following steps:
Network side equipment sends the second request message to first movement management entity, so that first movement management entity is according to this Second request message verifies whether that remote equipment is allowed to access network by trunking.
In the present embodiment, when network side equipment is realized by different modes, first movement management entity is not also identical, specific as follows about a variety of possible combinations:
First way: when network side equipment is the mobile management entity of trunking, which is the mobile management entity of short distance functional entity or remote equipment;Or
The second way: when network side equipment is the mobile management entity of remote equipment, which is the mobile management entity of short distance functional entity or trunking;Or
The second way: when network side equipment is short distance functional entity, first movement management entity is the mobile management entity of remote equipment or the mobile management entity of trunking.
The step be the incidence relation of remote equipment and trunking verify in the mobile management entity of trunking, the mobile management entity of remote equipment or short distance functional entity any two at scheme when executing, the mutually independence of every place's verification operation, record in specific verification method embodiment shown in Figure 9, details are not described herein again.
Optionally, in any embodiment in the application Fig. 8 or Fig. 9, it also include: the check code of the non-access layer information of remote equipment, the non-access layer information in the second request message when the check code of non-access layer information and non-access layer information in the first request message including remote equipment.
Correspondingly, above-mentioned steps 802 (network side equipment triggers the verifying to the incidence relation of remote equipment and trunking according to first request message), comprising:
Network side equipment sends the second request message to the mobile management entity of remote equipment, so that the mobile management entity of remote equipment carries out safe handling to remote equipment according to second request message.
Wherein, which is the mobile management entity of trunking or the network side equipment is short distance functional entity.
When any one in the mobile management entity or short distance functional entity that network side equipment is trunking, the mobile management entity or short distance functional entity of trunking also send the second request message to the mobile management entity of remote equipment, so that the mobile management entity of remote equipment be made to carry out safe handling to remote equipment according to second request message.To record of the step 105a into step 105d in the safe handling of remote equipment embodiment shown in Figure 1, details are not described herein again.
Optionally, in any embodiment in the application Fig. 8 or Fig. 9, as an example, if network side equipment is the mobile management entity of remote equipment, above-mentioned steps 801 (network side equipment receives the first request message that trunking is sent) are realized by possible implementation as follows:
Network side equipment receives the first request message that trunking passes through base station forward process, first request message further include: the mark of trunking.
In a kind of possible implementation, first request message can be also sent to base station by trunking, the related contents such as the mark of remote equipment, the mark of trunking are reported by the mobile management entity of base station selected corresponding remote equipment, and by initial distal facility information.
When the mobile management entity that network side equipment is remote equipment, and first request message include remote equipment non-access layer information and non-access layer information check code when, a kind of possible implementation of above-mentioned steps 802 (network side equipment triggers the verifying to the incidence relation of remote equipment and trunking according to first request message) is as follows:
Network side equipment obtains the Non-Access Stratum contextual information of the remote equipment, and verify according to check code of the Non-Access Stratum contextual information to non-access layer information according to the mark of remote equipment.
Specifically, agreement has complete set to protect key and one between remote equipment and the mobile management entity of remote equipment Cover NAS algorithm, NAS message calculator (uplink and downlink); input of the mobile management entity of remote equipment by tegrity protection key, the numerical value of NAS message calculator, NAS message itself etc. as NAS algorithm; it can generate a check value (mac-integrity), be placed in the end of NAS message.Similarly, remote equipment also executes the operation of above-mentioned NAS algorithm, can also generate a check value, the two check values are compared by remote equipment, if the two is consistent, shows that completeness check passes through, otherwise shows that completeness check does not pass through.
Optionally; since the mobile management entity of short distance functional entity and remote equipment can generate the key for protecting communication security between remote equipment and trunking according to the mark of remote equipment; so; when network side equipment is the mobile management entity of trunking; nearly the mobile management entity of range capability entity and remote equipment is upper is illustrated at first movement management entity; therefore authority checking method provided by the embodiments of the present application; it further include following steps, referring specifically to embodiment illustrated in fig. 10.
Figure 10 is the flow chart of authority checking embodiment of the method ten provided by the embodiments of the present application.As shown in Figure 10, authority checking method provided by the embodiments of the present application, further includes:
Step 1001, network side equipment send the second request message to first movement management entity.
Step 1002, the first movement management entity are according to the mark of remote equipment in the second request message; the Non-Access Stratum contextual information of remote equipment is obtained, and the key for protecting communication security between remote equipment and trunking is generated according to the Non-Access Stratum contextual information.
Step 1003, first movement management entity are by the key and security parameter needed for generating key feeds back to network side equipment.
Step 1004, network side equipment are by the key received and security parameter needed for generating key is sent to trunking.
Step 1005, trunking will generate key needed for security parameter return to remote equipment.
Step 1006, remote equipment generate the key for protecting communication security between remote equipment and trunking according to the security parameter received.
Authority checking method provided in this embodiment; it is generated with first movement management entity (mobile management entity of short distance functional entity or remote equipment) for protecting the key of communication security between remote equipment and trunking to be illustrated; its realization principle is similar with the technical solution of embodiment illustrated in fig. 5 with beneficial effect; referring specifically to embodiment illustrated in fig. 5, details are not described herein again.
Optionally, when network side equipment is the mobile management entity or short distance functional entity of remote equipment, the mode that key generates is can be performed in its own, and concrete operations are as follows:
Network side equipment is according to the mark of remote equipment; obtain the Non-Access Stratum contextual information of remote equipment; and the key for protecting communication security between remote equipment and trunking is generated according to the Non-Access Stratum contextual information; and key is fed back to the mobile management entity of trunking and be transmitted to trunking with security parameter needed for generating key; so that the security parameter is returned to remote equipment by trunking, and then remote equipment is made to generate the key for protecting communication security between remote equipment and trunking according to security parameter.
Wherein, network side equipment is the mobile management entity or short distance functional entity of remote equipment.
Optionally, above-mentioned key is generated by the mobile management entity of remote equipment according to the underlying security key of remote equipment.
In addition, being stored with the contextual information of trunking in the mobile management entity of trunking, it is stored with the contextual information of remote equipment in the mobile management entity of remote equipment, the context of trunking is stored in short distance functional entity The contextual information of information and remote equipment.
Further, on the basis of the various embodiments described above, authority checking method provided by the embodiments of the present application, further includes:
Network side equipment sends secret key request message to security function entity; so that the security function entity is according to secret key request message; it obtains for security parameter needed for protecting the key of communication security between remote equipment and trunking and generating key; and security parameter needed for key and generation key is fed back into network side equipment; the secret key request message, comprising: the mark of remote equipment.
The step is to judge that the incidence relation of remote equipment and trunking is verified in network side equipment, but security parameter needed for not carrying the key for protecting both remote equipment and trunking communication security in the response message that network side equipment finally obtains and generating key, so, it then directly sends secret key request message to security function entity, and then obtain security function entity for security parameter needed for protecting the key of communication security between remote equipment and trunking and generating key, to guarantee that remote equipment can access network by the trunking.
Below with reference to above-described embodiment, enumerates detailed example and authority checking method is specifically described:
It is similar with Fig. 6 and embodiment illustrated in fig. 7, remote equipment is wearable device (WD), trunking (Relay), the mobile management entity (MME-WD) of remote equipment, the mobile management entity (MME-relay) of trunking, base station (eNB), home subscriber server (Home Subscriber Server in following figure, abbreviation HSS) and short distance functional entity (ProSe Function, abbreviation PF) etc. be illustrated.
Figure 11 is the interaction figure of authority checking embodiment of the method 11 provided by the embodiments of the present application.As shown in figure 11, authority checking method provided by the embodiments of the present application is similar with embodiment illustrated in fig. 6, the specific steps are as follows:
Step 1101, WD and Relay are successfully registered to network.
Step 1102, WD send communication request to Relay.
The mark (WD ID) of remote equipment is carried in the communication request.It optionally, further include the first NAS message (NAS message of WD) and/or relay services code (Relay service code) in the communication request.About the record in step 101 in the particular content embodiment shown in Figure 1 in communication request, details are not described herein again.
Step 1103, Relay send RRC signaling to base station (eNB).
Wherein, including the related content in above-mentioned communication request in RRC signaling.It optionally, further include the mark of relay in RRC signaling.
Step 1104, eNB initiation connect foundation with the S1-AP of MME-WD, and the related content in RRC signaling are sent to MME-WD by initial distal equipment message.
Step 1105, MME-WD verify the integrality of the first NAS message, verify to the incidence relation of Relay and WD.
Optionally, MME-WD, which receives the concrete operations after the first NAS message, can be found in the record of step 604 in embodiment illustrated in fig. 6, and details are not described herein again.When in communication request including the first NAS message, MME-WD verifies the integrality of the first NAS message.About the specific implementation of completeness check, referring to the record in step 403, details are not described herein again.
Step 1106, MME-WD send WD ID, Relay ID to MME-relay.
Optionally, MME-WD is also possible to send other relevant parameters required for the incidence relation comprising verifying Relay and WD to MME-relay.In addition, MME-WD is also possible to send the contents such as relay services code to MME-relay.
Step 1107, MME-relay verify the incidence relation of Relay and WD, and feed back the second response message to MME-WD.
Step 1108, MME-WD generate key.
Specifically, MME-WD obtains security parameter needed for generating key according to WD ID, the key for protecting communication security between WD and Relay is then generated.
The method specifically generated about key and required security parameter are for details, reference can be made to the record in step 502, and details are not described herein again.
Step 1109, MME-WD are by key and security parameter needed for generating key returns to eNB.
Optionally, MME-WD establishes request for key by initial context and security parameter needed for generating key returns to eNB.
Step 1110, eNB establish the carrying mapping and binding of WD and Relay.
Step 1111, eNB are by key and security parameter needed for generating key feeds back to Relay, and radio control protocols connection configuration is realized between eNB and Relay.
Security parameter needed for step 1112, eNB will generate key feeds back to WD, realizes that radio control protocols connection configures between eNB and WD.
Step 1113, WD security parameter according to needed for generating key generate key.
Step 1114, WD send the message that radio control protocols connection configuration is completed to eNB.
Step 1115, eNB complete message to MME-WD feedback initial context.
The realization principle of each step is recorded referring to the correlation in above-described embodiment in the present embodiment, and details are not described herein again.
It is worth noting that the authority checking method of the application it may also be desirable to pay attention to following several points:
Optionally, first: the incidence relation verifying in step 1105 and step 1107 may only need to be implemented one of them, it is also possible to be carried out at two.
Optionally, second: being that optionally, i.e., may not be needed to generate key in step 1108 for protecting the key of communication security between remote equipment and trunking.At this time, the second random number that the first random number and MME-WD that WD is generated generate is not needed to generate yet and be transmitted, but, what the NAS message of remote equipment and the NAS message of MME-WD still needed to transmit, effect is to complete the safety certification between WD and relay by the integrality for checking the NAS message of remote equipment.
Optionally; third: if for protecting the key of communication security between remote equipment and trunking to need to generate; optionally; interaction between WD and MME-WD may also not need to be encapsulated in NAS message; that is the first random number and WD ID do not need to be encapsulated in the NAS message of remote equipment, and the second random number does not need to be encapsulated in the NAS message of MME-WD yet.
Optionally, the the 4th: also not including WD ID in the NAS message of the first request message and the remote equipment in the second request in step 604 and step 605 if WD ID is not included in the NAS message of the remote equipment in communication request.
Figure 12 is the interaction figure of authority checking embodiment of the method 12 provided by the embodiments of the present application.As shown in figure 12, authority checking method provided by the embodiments of the present application is similar with embodiment illustrated in fig. 11, and difference is only that PF can also carry out authority checking.Specifically, as shown in figure 12, the step 1106 in above-mentioned Figure 11 can be replaced step 1201, step 1107 can be replaced step 1202.
Step 1201, MME-WD send WD ID, Relay ID to PF.
Optionally, similar with above-mentioned steps 1106, MME-WD is also possible to send other relevant parameters required for the incidence relation comprising verifying Relay and WD to PF.In addition, MME-WD is also possible to send relay services to MME-relay The contents such as code.
Step 1202, PF verify the incidence relation of Relay and WD, and feed back the second response message to MME-WD.
About PF to the specific implementation of the incidence relation verifying of Relay and WD referring to the record in above-mentioned steps 702, details are not described herein again.
It is worth noting that authority checking method provided by the embodiments of the present application, it is also possible to it should be noted that following several points:
Optionally, first: being that optionally, i.e., may not be needed to generate key in step 1108 for protecting the key of communication security between remote equipment and trunking.At this time, the second random number that the first random number and MME-WD that WD is generated generate is not needed to generate yet and be transmitted, but, what the NAS message of remote equipment and the NAS message of MME-WD still needed to transmit, effect is to complete the safety certification between WD and relay by the integrality for checking the NAS message of remote equipment.
Optionally; second: if for protecting the key of communication security between remote equipment and trunking to need to generate; optionally; interaction between WD and MME-WD may also not need to be encapsulated in NAS message; that is the first random number and WD ID do not need to be encapsulated in the NAS message of remote equipment, and the second random number does not need to be encapsulated in the NAS message of MME-WD yet.
Optionally, third: not including WD ID in the NAS message of the first request message and the remote equipment in the second request in step 604 and step 605 if WD ID is not included in the NAS message of the remote equipment in communication request yet.
Figure 13 is the interaction figure of authority checking embodiment of the method 13 provided by the embodiments of the present application.As shown in figure 13, authority checking method provided by the embodiments of the present application, the specific steps are as follows:
Step 1301, WD and Relay are successfully registered to network.
The update of authorization message has occurred on step 1302, PF or HSS.
Optionally, the relevant first authorization message update of relay may occur for PF and/or HSS and/or relevant second authorization message of WD updates.
Step 1303, MME-WD and/or MME-relay realize the update of authorization message.
Optionally, the first authorization message of update is configured on MME-relay by PF and/or HSS.
Optionally, the second authorization message of update is configured on MME-WD by PF and/or HSS.
Step 1304, relevant second authorization message of MME-WD storage WD.MME-relay stores relevant first authorization message of relay.
The discovery procedure of communication interface is realized between step 1305, WD and Relay.
Step 1306, WD send communication request to Relay.
The mark (WD ID) of remote equipment is carried in the communication request.It optionally, further include the first NAS message (NAS message of WD) and/or relay services code (Relay service code) in the communication request.About the record of step 101 in the other content in communication request referring to Fig.1 illustrated embodiment, details are not described herein again.
Step 1307, Relay generate the first request message, and first request message are sent to PF.
Step 1308, PF verify the incidence relation of Relay and WD, and generate key.
Optionally, after PF receives the first request message, one or more of following operation can be performed: first, PF verify the incidence relation of Relay and WD;Second, PF generate key.Optionally, which is for protecting WD The security key communicated between Relay.
Step 1309, PF are by key and security parameter needed for generating key feeds back to Relay.
Optionally, security parameter needed for key and generation key is fed back to Relay by the first response message by PF.
Step 1310, Relay will generate key needed for security parameter feed back to WD.
In one embodiment, security parameter needed for Relay will generate key by communication response feeds back to WD.
Step 1311, WD send service request to MME-WD.
Optionally, WD-ID, relay-ID are carried in the service request.Optionally, relay services code is also carried in the service request.
Step 1312, MME-WD verify the incidence relation of Relay and WD.
Optionally, which can also be verified by incidence relation of the MME-relay to Relay and WD or the step is verified by the incidence relation of both MME-WD and MME-relay to Relay and WD.
Optionally, if without generating key in step 1308, MME-WD is generated for protecting the security key communicated between WD and Relay.
Step 1313, MME-WD establish initial context request to eNB transmission, carry WD-ID and relay-ID in initial context request.
Step 1314, eNB complete the carrying mapping and binding of WD and Relay.
Radio control protocols connection configuration is realized between step 1315, eNB and Relay.
Radio control protocols connection configuration is realized between step 1316, eNB and WD.
Step 1317, eNB complete message to MME-WD feedback initial context.
The implementing principle and technical effect of each step are recorded referring to the correlation in above-mentioned illustrated embodiment in the present embodiment, and details are not described herein again.
Figure 14 is the interaction figure of authority checking embodiment of the method 14 provided by the embodiments of the present application.As shown in figure 14, authority checking method provided by the embodiments of the present application is similar with embodiment illustrated in fig. 6, specifically comprises the following steps:
Step 1401, WD and Relay are successfully registered to network.
Step 1402, WD send the NAS message of remote equipment to MME-WD.
Mark (WD ID), the mark (Relay ID) of trunking of remote equipment are carried in the NAS message of the remote equipment.It optionally, further include relay services code (Relay service code) and/or the first random number in the NAS message of the remote equipment.
The integrality of step 1403, the NAS message of MME-WD verifying remote equipment, and the incidence relation of Relay and WD are verified.
Optionally, MME-WD one or more of can be performed the following operations: being verified the integrality of the NAS message of remote equipment, verified to the incidence relation of Relay and WD.
Step 1404, MME-WD send the first authority checking request message to MME-relay.
The incidence relation of step 1405, MME-relay verifying Relay and WD, and the first authority checking response message is fed back to MME-WD.
For the record in step 105 in the specific implementation embodiment shown in Figure 1 of the incidence relation of MME-relay verifying Relay and WD, details are not described herein again.
Step 1406, MME-WD generate key.
Specifically, MME-WD is generated according to WD ID for protecting the key of communication security and life between WD and Relay At security parameter needed for key.The step 502 in concrete operations embodiment shown in Figure 5 generated about key, details are not described herein again
Step 1407, MME-WD are by key and security parameter needed for generating key returns to eNB.
Optionally, security parameter needed for key and generation key is returned to eNB by pairing request by MME-WD.
Step 1408, eNB establish the carrying mapping and binding of WD and Relay.
Step 1409, eNB are by key and security parameter needed for generating key feeds back to Relay, and radio control protocols connection configuration is realized between eNB and Relay.
Step 1410, eNB feed back pairing response to MME-WD.
Step 1411, MME-WD will generate key needed for security parameter feed back to WD.
Step 1412, WD security parameter according to needed for generating key, generate key.
Step 1413, WD send communication request to Relay.
Step 1414, Relay are responded to WD feedback communication.
It is worth noting that the authority checking method of the application it may also be desirable to pay attention to following several points:
Optionally, first: the incidence relation verifying in step 1403 and step 1405 may only need to be implemented one of them, it is also possible to be carried out at two.
Optionally, second: being that optionally, i.e., may not be needed to generate key in step 1406 for protecting the key of communication security between remote equipment and trunking.At this point, the second random number for generating the first random number and MME-WD generation that WD required for key is generated is not needed to generate yet and be transmitted.
The realization principle of each step is recorded referring to the correlation in above-described embodiment in the present embodiment, and details are not described herein again.
Figure 15 is the interaction figure of authority checking embodiment of the method 15 provided by the embodiments of the present application.As shown in figure 15, authority checking method provided by the embodiments of the present application is similar with embodiment illustrated in fig. 14, and difference is only that PF can also carry out authority checking.Specifically, as shown in figure 15, the step 1403 in above-mentioned Figure 14 can be replaced step 1501~1504.
The integrality of step 1501, the NAS message of MME-WD verifying remote equipment.
About the record in step 501 in integrity verification of the MME-WD to the NAS message of remote equipment embodiment shown in Figure 5, details are not described herein again.
Step 1502, MME-WD send the second authority checking request message to PF.
MME-WD sends the second authority checking request message to PF according to the NAS message of remote equipment.
Step 1503, PF verify the incidence relation of Relay and WD, generate the second authority checking response message.
Optionally, PF is verified according to incidence relation of the authority checking request message to Relay and WD.
About PF to the specific implementation of the incidence relation verifying of Relay and WD referring to the record in above-mentioned steps 702, details are not described herein again.
Step 1504, PF feed back the second authority checking response message to MME-WD.
Wherein, the content carried in third request message is consistent with the content in the first request message.
The implementing principle and technical effect of each step referring to figs. 1 to 5 record by related in embodiment in the present embodiment, and details are not described herein again.
Figure 16 is a kind of structural schematic diagram of authority checking device provided by the embodiments of the present application.The device can be located in the mobile management entity of trunking, and as shown in figure 16, the device of the present embodiment may include: receiving module 1601, processing module 1602 and sending module 1603.
Wherein, receiving module 1601, for receiving the first request message of trunking transmission, which includes: the mark of remote equipment.
Processing module 1602, for triggering the verifying to the incidence relation of the remote equipment and the trunking according to first request message.
Sending module 1603, for after processing module 1602 judges that the incidence relation is verified, generating the first response message, Xiang Suoshu trunking sends first response message.
The sending module 1603 is also used to send the second request message to the mobile management entity of the remote equipment, and second request message includes: the mark of remote equipment.
The receiving module 1601, the mobile management entity for being also used to receive the remote equipment carry out the second response message sent after safe handling according to second request message to the remote equipment.
The device of the present embodiment can be used for executing the technical solution of the mobile management entity of trunking in embodiment of the method shown in Fig. 1, and it is similar that the realization principle and technical effect are similar, and details are not described herein again.
Optionally, the processing module 1602, specifically for obtaining the first authorization message according to first request message, and according to the mark of the remote equipment, the mark of the trunking and first authorization message, verify whether that the remote equipment is allowed to access network by the trunking.
Optionally, the processing module 1602, specifically for after the trunking is successfully registered to network, first authorization message is obtained from any one or two in user data management entity and short distance functional entity according to the mark of the trunking.
Further, in above-mentioned first request message, further include: when relay services code, above-mentioned processing module 1602, specifically for obtaining the first authorization message according to first request message, and according to the mark of the remote equipment, the mark of the trunking, the relay services code and first authorization message, verify whether that the remote equipment is allowed to access network by the trunking.
As an example, the receiving module 1601 is also used to receive key and security parameter needed for the generation key that the mobile management entity of the remote equipment is sent.
The sending module 1603, is also used to the key and security parameter needed for generating the key is sent to the trunking.
Optionally; in one embodiment; the sending module 1603; it is also used to send secret key request message to security function entity; so that the security function entity is according to the secret key request message; it obtains for security parameter needed for protecting the key of communication security between the remote equipment and the trunking and generating the key; and security parameter needed for the key and the generation key is fed back to the mobile management entity of the trunking; the secret key request message, comprising: the mark of the remote equipment.
The sending module 1603, is also used to the key and security parameter needed for generating the key is sent to the trunking.
Optionally, in another embodiment, the sending module 1603, it is also used to send third request message to short distance functional entity, so that the short distance functional entity verifies whether that the remote equipment is allowed to access network by the trunking according to the third request message, the third request message includes: the mark of remote equipment, the mark of trunking.
Further, in the above embodiments, when the first request message further include: the non-access layer information of remote equipment, non-access layer information check code when, second request message further include: the Non-Access Stratum of the remote equipment disappears The check code of breath, the non-access layer information.
Above-mentioned apparatus can be used for executing the method for above method embodiment offer, and specific implementation is similar with technical effect, and which is not described herein again.
Figure 17 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application.The device is remotely located in the mobile management entity of equipment.As shown in figure 17, the device of the present embodiment may include: receiving module 1701, processing module 1702 and sending module 1703.
The receiving module 1701, the second request message that the mobile management entity for receiving trunking is sent, second request message includes: the mark of remote equipment.
Processing module 1702, the mobile management entity for the remote equipment carry out safe handling to the remote equipment according to second request message.
Sending module 1703, for the second response message that after the processing module 1702 carries out safe handling to the remote equipment, the mobile management entity of Xiang Suoshu trunking is sent.
The device of the present embodiment can be used for executing the technical solution of the mobile management entity of remote equipment in embodiment of the method shown in Fig. 1, and it is similar that the realization principle and technical effect are similar, and details are not described herein again.
Optionally, in one embodiment, the processing module 1702, specifically for obtaining the second authorization message according to second request message, and according to the mark of the remote equipment, the mark of the trunking and second authorization message, verify whether that the remote equipment is allowed to access network by the trunking.
As an example, processing module 1702, specifically for obtaining second authorization message from user data management entity and/or short distance functional entity according to the mark of the remote equipment after the remote equipment is successfully registered to network.
Optionally, in another embodiment, when the second request message, further include: when relay services code, the processing module 1702, for obtaining the second authorization message according to second request message, and according to the mark of the remote equipment, the mark of the trunking, the relay services code and second authorization message, verify whether that the remote equipment is allowed to access network by the trunking.
Optionally, in another embodiment, the processing module 1702, specifically for the mark according to the remote equipment in second request message, obtain the Non-Access Stratum contextual information of the remote equipment, and the check code of the non-access layer information of the remote equipment is verified according to the Non-Access Stratum contextual information, second request message includes: the mark of the non-access layer information of the remote equipment, the check code of the non-access layer information and the remote equipment.
Optionally; in another embodiment; the processing module 1702; it is also used to the mark of the remote equipment according to second request message; the Non-Access Stratum contextual information for obtaining the remote equipment generates the key for protecting communication security between the remote equipment and the trunking according to the Non-Access Stratum contextual information;
The sending module 1703, is also used to the key and security parameter needed for generating the key is sent to the mobile management entity of the trunking.
Optionally; in another embodiment; the sending module 1703; it is also used to send secret key request message to security function entity; so that the security function entity is according to the secret key request message; it obtains for security parameter needed for protecting the key of communication security between the remote equipment and the trunking and generating the key, and security parameter needed for the key and the generation key is fed back to the mobile management entity of the remote equipment, the key request disappears Breath, comprising: the remote equipment mark.
Above-mentioned apparatus can be used for executing the method for above method embodiment offer, and specific implementation is similar with technical effect, and which is not described herein again.
Figure 18 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application.The device can be located in trunking.As shown in figure 18, the device of the present embodiment may include: receiving module 1801, processing module 1802 and sending module 1803.
Receiving module 1801, for receiving the communication request of remote equipment transmission, the communication request includes: the mark of remote equipment.
Processing module 1802, for generating the first request message, first request message includes: the mark of remote equipment according to the communication request.
Sending module 1803, for first request message to be sent to the mobile management entity of the trunking.
The receiving module 1801 is also used to receive the first response message that the mobile management entity of the trunking is sent after judging that the incidence relation is verified.
The sending module 1803 is also used to send communication response to the remote equipment according to first response message.
The device of the present embodiment can be used for executing the technical solution of trunking in embodiment of the method shown in Fig. 1, and it is similar that the realization principle and technical effect are similar, and details are not described herein again.
Optionally; in the embodiment of the application; the receiving module 1801, be also used to receive the mobile management entity transmission of the trunking is used to protect the key of communication security and security parameter needed for the generation key between the remote equipment and the trunking
The sending module 1803; it is also used to the security parameter being sent to the remote equipment by the communication response, so that the remote equipment generates the key for protecting communication security between the remote equipment and the trunking according to the security parameter.
Above-mentioned apparatus can be used for executing the method for above method embodiment offer, and specific implementation is similar with technical effect, and which is not described herein again.
Figure 19 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application.The device can be located in the mobile management entity of trunking, be also remotely located the mobile management entity of equipment, may be located in short distance functional entity.As shown in figure 19, the device of the present embodiment may include: receiving module 1901, processing module 1902 and sending module 1903.
Receiving module 1901, for receiving the first request message of trunking transmission, first request message includes: the mark of remote equipment;
Processing module 1902, for triggering the verifying to the incidence relation of the remote equipment and the trunking according to first request message;
Sending module 1903, for after the processing module 1902 judges that the incidence relation is verified, Xiang Suoshu trunking to send the first response message.
Optionally, in the embodiment of the application, the processing module 1902, specifically for according to the first request message, obtain the first authorization message, and according to the mark of the remote equipment, the mark of the trunking and first authorization message, verify whether that the remote equipment is allowed to access network by the trunking.
As an example, the processing module 1902, specifically for after the trunking, the remote equipment are successfully registered to network, according to the first request message, first authorization message is obtained from any one or two in user data management entity and short distance functional entity.
Optionally, in another embodiment of the application, when first request message, further include: when relay services code, the processing module 1902 is specifically used for obtaining the first authorization message according to the first request message, and according to the mark of the remote equipment, the mark of the trunking, the relay services code and first authorization message, verify whether that the remote equipment is allowed to access network by the trunking.
Optionally, in the another embodiment of the application, the sending module 1903, it is also used to send the second request message to first movement management entity, so that the first movement management entity verifies whether that the remote equipment is allowed to access network by the trunking according to second request message.
In this embodiment, when in the mobile management entity that the authority checking device is located at trunking, the first movement management entity is the mobile management entity of short distance functional entity or the remote equipment;Or when in the mobile management entity that the authority checking device is located at remote equipment, the first movement management entity is the mobile management entity of short distance functional entity or the trunking;Or when the authority checking device is located at short distance functional entity, the first movement management entity is the mobile management entity of the remote equipment or the mobile management entity of the trunking.
Optionally, in the another embodiment of the application, when the check code of non-access layer information and the non-access layer information in the first request message including the remote equipment, second request message includes: the non-access layer information of the remote equipment, when the mark of the check code of the non-access layer information and the remote equipment, the processing module 1902, for sending the second request message to the mobile management entity of the remote equipment, so that the mobile management entity of the remote equipment carries out safe handling to the remote equipment according to second request message.
In the present embodiment, which can be located in the mobile management entity of trunking or the authority checking device can be located in short distance functional entity.
Optionally, in the another embodiment of the application, when in the mobile management entity that the authority checking device is located at remote equipment, the receiving module 1901, pass through first request message of the base station forward process, first request message further include: the mark of the trunking specifically for receiving the trunking.
Optionally, in above-described embodiment of the application, when first request message include the remote equipment non-access layer information and the non-access layer information check code when, the processing module 1902, specifically for the mark according to the remote equipment, the Non-Access Stratum contextual information of the remote equipment is obtained, and the check code of the non-access layer information is verified according to the Non-Access Stratum contextual information.
Optionally; in the another embodiment of the application; the sending module 1903; it is also used to send the second request message to the first movement management entity; so that mark of the first movement management entity according to the remote equipment; obtain the Non-Access Stratum contextual information of the remote equipment; and the key for protecting communication security between the remote equipment and the trunking is generated according to the Non-Access Stratum contextual information, and security parameter needed for the key and the generation key is fed back into the authority checking device.
The sending module 1903; it is also used to the key and security parameter needed for generating the key is sent to the trunking; so that the security parameter is returned to the remote equipment by the trunking, the remote equipment is made to generate the key for protecting communication security between the remote equipment and the trunking according to the security parameter.
In the present embodiment, which can be located in the mobile management entity of trunking, and the first movement management entity is the mobile management entity of short distance functional entity or the remote equipment.
Optionally, in the another embodiment of the application, the processing module 1902, it is also used to the mark according to the remote equipment, obtain the Non-Access Stratum contextual information of the remote equipment, and the key for protecting communication security between the remote equipment and the trunking is generated according to the Non-Access Stratum contextual information, and the key is fed back to the mobile management entity of the trunking and be transmitted to the trunking with security parameter needed for generating the key, so that the security parameter is returned to the remote equipment by the trunking, the remote equipment is set to generate the key for protecting communication security between the remote equipment and the trunking according to the security parameter.
In the present embodiment, which is remotely located in the mobile management entity or short distance functional entity of equipment.
Optionally, in above-described embodiment of the application, the key is generated by the mobile management entity of the remote equipment according to the underlying security key of the remote equipment.
Optionally, in above-described embodiment of the application, the contextual information of the trunking is stored in the mobile management entity of the trunking, it is stored with the contextual information of the remote equipment in the mobile management entity of the remote equipment, the contextual information of the trunking and the contextual information of the remote equipment are stored in short distance functional entity.
Optionally; in the another embodiment of the application; the sending module 1903; it is also used to send secret key request message to security function entity; so that the security function entity is according to the secret key request message; it obtains for security parameter needed for protecting the key of communication security between the remote equipment and the trunking and generating the key; and security parameter needed for the key and the generation key is fed back into the network side equipment; the secret key request message, comprising: the mark of the remote equipment.
In addition, authority checking device provided by the embodiments of the present application, can also realize each step in above-mentioned various alternative embodiments for the method for authority checking device, implements principle and beneficial effect please refers to above method embodiment, details are not described herein again.
It should be noted that it should be understood that the modules of apparatus above division be only a kind of logic function division, can completely or partially be integrated on a physical entity in actual implementation, can also be physically separate.And these modules can be realized all by way of processing element calls with software;It can also all realize in the form of hardware;It can be realized in the form of part of module calls software by processing element, part of module passes through formal implementation of hardware.Such as, determining module can be the processing element individually set up, also it can integrate and realized in some chip of above-mentioned apparatus, furthermore, it can also be stored in the form of program code in the memory of above-mentioned apparatus, called by some processing element of above-mentioned apparatus and execute the function of module determined above.The realization of other modules is similar therewith.Furthermore these modules completely or partially can integrate together, can also independently realize.Processing element described here can be a kind of integrated circuit, the processing capacity with signal.During realization, each step of the above method or the above modules can be completed by the integrated logic circuit of the hardware in processor elements or the instruction of software form.
Such as, the above module can be arranged to implement one or more integrated circuits of above method, such as: one or more specific integrated circuit (Application Specific Integrated Circuit, abbreviation ASIC), or, one or more microprocessors (digital singnal processor, abbreviation DSP), or, one or more field programmable gate array (Field Programmable Gate Array, abbreviation FPGA) etc..For another example, when some above module is realized by way of processing element scheduler program code, the processing element can be general processor, for example, central processing unit (Central Processing Unit, abbreviation CPU) or it is other can be with the processor of caller code.For another example, these modules can integrate together, realize in the form of system on chip (system-on-a-chip, abbreviation SOC).
Figure 20 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application.The authority checking device that this example provides, it include: processor 2001, memory 2002, transceiver 2003, communication interface 2004 and system bus 2005, memory 2002 and communication interface 2004 connect with processor 2001 and transceiver 2003 by system bus 2005 and complete mutual communication, memory 2002 is for storing computer executed instructions, communication interface 2004 is used for and other equipment are communicated, processor 2001 and transceiver 2003 are for running computer executed instructions, authority checking device is set to execute as above each step applied to the mobile management entity of trunking in authority checking method.
Specifically, in above-mentioned Figure 16, receiving module 1601 and the corresponding transceiver 2003 of sending module 1603,1602 alignment processing device 2001 of processing module etc..
Figure 21 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application.The authority checking device that this example provides, it include: processor 2101, memory 2102, transceiver 2103, communication interface 2104 and system bus 2105, memory 2102 and communication interface 2104 connect with processor 2101 and transceiver 2103 by system bus 2105 and complete mutual communication, memory 2102 is for storing computer executed instructions, communication interface 2104 is used for and other equipment are communicated, processor 2101 and transceiver 2103 are for running computer executed instructions, authority checking device is set to execute as above each step applied to the mobile management entity of remote equipment in authority checking method.
Specifically, in above-mentioned Figure 17, receiving module 1701 and the corresponding transceiver 2103 of sending module 1703,1702 alignment processing device 2101 of processing module etc..
Figure 22 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application.The authority checking device that this example provides, it include: processor 2201, memory 2202, transceiver 2203, communication interface 2204 and system bus 2205, memory 2202 and communication interface 2204 connect with processor 2201 and transceiver 2203 by system bus 2205 and complete mutual communication, memory 2202 is for storing computer executed instructions, communication interface 2204 is used for and other equipment are communicated, processor 2201 and transceiver 2203 are for running computer executed instructions, authority checking device terminal authentication apparatus is set to execute as above each step applied to trunking in authority checking method.
Specifically, in above-mentioned Figure 18, receiving module 1801 and the corresponding transceiver 2203 of sending module 1803,1802 alignment processing device 2201 of processing module etc..
Figure 23 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application.The authority checking device that this example provides, it include: processor 2301, memory 2302, transceiver 2303, communication interface 2304 and system bus 2305, memory 2302 and communication interface 2304 connect with processor 2301 and transceiver 2303 by system bus 2305 and complete mutual communication, memory 2302 is for storing computer executed instructions, communication interface 2304 is used for and other equipment are communicated, processor 2301 and transceiver 2303 are for running computer executed instructions, authority checking device is set to execute as above each step applied to network side equipment in authority checking method.
Specifically, in above-mentioned Figure 19, receiving module 1901 and the corresponding transceiver 2303 of sending module 1903,1902 alignment processing device 2301 of processing module etc..
The system bus that above-mentioned Figure 20 is mentioned into Figure 23 can be Peripheral Component Interconnect standard (Peripheral Pomponent Interconnect, abbreviation PCI) bus or expanding the industrial standard structure (Extended Industry Standard Architecture, abbreviation EISA) bus etc..The system bus can be divided into address bus, data/address bus, control bus etc..Only to be indicated with a thick line in figure, it is not intended that an only bus or a type of bus convenient for indicating.Communication interface is for realizing the communication between database access device and other equipment (such as client, read-write library and read-only library).Memory may include random access memory (Random Access Memory, abbreviation RAM), it is also possible to further include nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network processing unit (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal Processing, abbreviation DSP), specific integrated circuit (Application Specific Integrated Circuit, abbreviation ASIC), field programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) either other programmable logic device, discrete gate or transistor logic, discrete hardware components.
Optionally, Figure 24 is the interaction figure of authority checking embodiment of the method 16 provided by the embodiments of the present application.As shown in figure 24, authority checking method provided by the embodiments of the present application, comprising:
Step 2401, trunking receive the communication request that remote equipment is sent.
As an example, include Non-Access Stratum (NAS) message of remote equipment in the communication request, optionally, in the non-access layer information include the mark of remote equipment, optionally, the mark of remote equipment is directly contained in the communication request.Optionally, in the establishment process of the communication interface between trunking and remote equipment (for example, PC5 mouthfuls), the NAS message of remote equipment is sent to trunking by the communication request by remote equipment.
As another example, in the communication request and do not include remote equipment NAS message, between trunking and remote equipment communication interface (such as, PC5 mouthfuls) establishment process in or after establishment process terminates, the NAS message of remote equipment is sent to trunking by remote equipment.
It optionally, can also include one or more of the following contents: relay services code, the first random number in the communication request.Optionally, which is that remote equipment generates, and can directly be carried in communication request.Optionally, in communication request include remote equipment non-access layer information when, which is further included in the non-access layer information of remote equipment, rather than directly carrying in communication request.
Step 2402, trunking generate the first radio resource control information according to above-mentioned communication request, and the first radio resource control information is sent to base station.
Optionally, first radio resource control information is the radio resource control information of remote equipment, alternatively, first radio resource control information is the radio resource control information of trunking.Optionally, the first radio resource control information is wireless heterogeneous networks (RRC) connection setup complete message.
Optionally, in one embodiment, after trunking receives the communication request of remote equipment, the content in the communication request is encapsulated into the first radio resource control messages and is sent to base station.
In another embodiment, trunking is in addition to the content of the communication request received to be encapsulated into the first radio resource control messages, for example, the NAS message of remote equipment;Other relevant parameters required for verifying remote equipment and trunking incidence relation can also be integrated into the first request message, for example, including the mark etc. of trunking in the first radio resource control messages.
That is, the mark of the trunking is sent to base station by the first radio resource control information by trunking, so that the request of identification of base stations remote equipment accesses network by trunking.Base station can determine the mark of trunking and the mark of remote equipment according to the first radio resource control information in this way, and when identifying that remote equipment request accesses network by the trunking, original equipment message is sent to the mobile management entity of remote equipment, and then the mobile management entity of remote equipment is made to trigger the verifying to the incidence relation of trunking and remote equipment.
Step 2403, base station receive the first radio resource control information that trunking is sent.
Optionally, which includes the non-access layer information of remote equipment.
In the present embodiment, when the Non-Access Stratum in the communication request that remote equipment is sent to trunking including remote equipment disappears When breath, the non-access layer information of the remote equipment will be encapsulated into the first radio resource control messages by trunking, to also include the non-access layer information of remote equipment in first radio resource control information that base station receives.
Step 2404, base station identify that remote equipment request accesses network by trunking, obtain the mark of trunking according to the first radio resource control information.
After base station receives first radio resource control information, it can identify that remote equipment request accesses network by trunking according to the first radio resource control information.For example, optionally, identification of base stations goes out the radio resource control information that the first radio resource control information received is remote equipment, then judge that remote equipment request accesses network by trunking;Optionally, identification of base stations, which goes out the first radio resource control information, is the radio resource control information of trunking, but contains the mark of remote equipment, then judges that remote equipment request accesses network by trunking.
Optionally, while identification of base stations goes out remote equipment request by trunking access network, its mark that will acquire trunking, and then the non-access layer information of the mark of trunking and remote equipment is sent to the mobile management entity of remote equipment, the incidence relation between remote equipment and trunking is verified with triggering the mobile management entity of remote equipment.
In the embodiment of the present application, the mark that base station obtains trunking can be realized by one of following possible implementation:
As an example, after connection is established in trunking and base station, base station will establish the contextual information of trunking and store, that is, the contextual information of the trunking is stored in base station, the mark including trunking.So the mark that base station obtains trunking from the contextual information of the trunking of the base station stored can be triggered when base station identifies that remote equipment request accesses network by trunking according to the first radio resource control information.
As another example, while the related content in communication request is encapsulated into the first radio resource control information by trunking, when the mark of oneself being also encapsulated into first radio resource control information, then base station can also obtain the mark of trunking from first radio resource control information.
The non-access layer information of the mark of trunking and remote equipment is sent to the mobile management entity of remote equipment by original equipment message by step 2405, base station.
In the present embodiment, if thinking the incidence relation of verifying remote equipment and trunking, base station then generates the original equipment message of remote equipment according to the non-access layer information of the mark of the trunking got and remote equipment, and then the non-access layer information of the mark of trunking and remote equipment is sent to the mobile management entity of remote equipment by the original equipment message, and then it triggers the mobile management entity of remote equipment and the incidence relation of remote equipment and trunking is verified, a variety of implementations about realization incidence relation verifying are referring to the record in following steps 2407, details are not described herein again.
For the mark of remote equipment, the mark of the remote equipment may include in the first radio resource control information in the non-access layer information of remote equipment, and/or be directly contained in the first radio resource control information.Therefore, optionally, base station from the mark for obtaining remote equipment in the first radio resource control information and is contained in original equipment message.So the mark of remote equipment may include in original equipment message in the non-access layer information of remote equipment and/or the mark of remote equipment is directly contained in the original equipment message.
Step 2406, remote equipment mobile management entity receive base station send original equipment message.
Optionally, which includes: the non-access layer information of remote equipment and the mark of trunking.
Optionally, which also directly includes the mark of remote equipment.
Step 2407, remote equipment mobile management entity according to the original equipment message, trigger the verifying to the incidence relation of remote equipment and trunking.
Optionally, the incidence relation of remote equipment and trunking is verified in the mobile management entity triggering of remote equipment, Including it is following may one of implementation or a variety of: the first, the mobile management entity itself for triggering remote equipment verifies the incidence relation of remote equipment and trunking according to the original equipment message;Second, the mark of the mark of remote equipment and trunking is sent to the mobile management entity of trunking by the mobile management entity for triggering remote equipment, so that the mobile management entity of trunking verifies above-mentioned incidence relation;The third, the mark of the mark of remote equipment and trunking is sent to short distance functional entity by the mobile management entity for triggering remote equipment, so that short distance functional entity verifies above-mentioned incidence relation.
It is worth noting that, when not needing to execute above-mentioned second, the mobile management entity of remote equipment does not need to interact with the mobile management entity of trunking, when not needing to execute the third above-mentioned mode, the mobile management entity of remote equipment does not need to interact with short distance functional entity.
It is worth noting that when the mobile management entity of remote equipment execute as above may a variety of in implementation when, the present embodiment does not limit the sequence that executes of a variety of possible implementations, and the execution sequence of any combination belongs to the protection scope applied.
Optionally, in the present embodiment, when in the non-access layer information that the mark of remote equipment includes remote equipment, the mobile management entity of remote equipment can obtain authorization relation information according to the mark of the remote equipment carried in the non-access layer information, which can indicate the trunking list relevant with the remote equipment.Therefore, the mobile management entity of remote equipment can verify the incidence relation of remote equipment and trunking according to the original equipment message, and specific verification method is referring to the record in following embodiment illustrated in fig. 25, and details are not described herein again.
Optionally, in another embodiment, the incidence relation of remote equipment and trunking can also be verified by the mobile management entity of trunking.Specifically, the mobile management entity of remote equipment sends the first checking request message to the mobile management entity of trunking, the first checking request message includes: the mark of remote equipment and the mark of trunking, and the mobile management entity of such trunking can verify the incidence relation of remote equipment and trunking according to the first checking request message.It is worth noting that, also the remote equipment list relevant with the trunking is stored in the mobile management entity of trunking, therefore the mobile management entity of trunking can be realized in conjunction with the mark of remote equipment and the mark of trunking and be verified to the incidence relation of remote equipment and trunking.
Optionally, in another embodiment, the incidence relation of remote equipment and trunking can also be verified by short distance functional entity.Specifically, the mobile management entity of remote equipment sends the second checking request message to short distance functional entity, the second checking request message includes: the mark of remote equipment, the mark of trunking, due to being stored with the remote equipment list relevant with trunking and/or the trunking list relevant with remote equipment in short distance functional entity, so short distance functional entity can also realize the incidence relation verifying to remote equipment and trunking.
Optionally, due to including the non-access layer information of remote equipment in the original equipment message, so the mobile management entity of remote equipment can also obtain the Non-Access Stratum contextual information of remote equipment, and carry out completeness check to the non-access layer information of the remote equipment according to the mark of remote equipment.Specifically, the mobile management entity of remote equipment verifies the check code of the non-access layer information of remote equipment according to the Non-Access Stratum contextual information.
For example; establishing between remote equipment and the mobile management entity of remote equipment has complete set protection key and a set of NAS algorithm, NAS message calculator (uplink and downlink); input of the remote equipment by tegrity protection key, the numerical value of NAS message calculator, NAS message itself etc. as NAS algorithm; it can generate a check value (mac-integrity), be placed in the end of NAS message.Similarly, the mobile management entity of remote equipment also executes the operation of above-mentioned NAS algorithm, can also generate a check value, the two check values are compared by the mobile management entity of remote equipment, if the two is consistent, show that completeness check passes through, otherwise shows that completeness check does not pass through.
Optionally; the mobile management entity of remote equipment can also be according to the mark of the remote equipment in original equipment message; obtain the Non-Access Stratum contextual information of remote equipment; and the key for protecting communication security between remote equipment and trunking is generated according to the Non-Access Stratum contextual information, finally key is established request message by initial context and be sent to base station with security parameter needed for generating key.Wherein, the mark of remote equipment is included in NAS message or is directly contained in original equipment message.
Optionally, when judging that the incidence relation of remote equipment and trunking is verified, but the NAS message completeness check of remote equipment not over, or the NAS message of remote equipment does not have integrity protection, so the mobile management entity of remote equipment then sends secret key request message to security function entity, so that the security function entity is obtained according to secret key request message for security parameter needed for protecting the key of communication security between remote equipment and trunking and generating the key, and security parameter needed for the key and generation key is fed back to the mobile management entity of remote equipment, the secret key request message, it include: remote equipment mark.Wherein, optionally, the security function entity can be user data management entity, authentication server functions entity, wearable function management entity etc..
Step 2408, remote equipment mobile management entity after the incidence relation for judging remote equipment and trunking is verified to base station send initial context establish request message.
Optionally, in the present embodiment, after the incidence relation of remote equipment and trunking is verified, the mobile management entity of remote equipment then sends initial context to base station and establishes request message, which establishes the mark in request message including trunking.
Step 2409, base station receive above-mentioned initial context and establish request message.
In the present embodiment, by above-mentioned steps 2408 it is found that the initial context establishes the mobile management entity that request message is remote equipment sends after the incidence relation for judging remote equipment and trunking is verified.
Optionally; when the mobile management entity of remote equipment is generated for protecting the key of communication security between remote equipment and trunking; the mobile management entity of remote equipment also sends this for security parameter needed for protecting the key of communication security between remote equipment and trunking and generating the key to base station; correspondingly, the mobile management entity that the base station also receives trunking send for security parameter needed for protecting between remote equipment and trunking the key of communication security and generating the key.
It is that remote equipment establishes contextual information that step 2410, base station, which establish request message according to above-mentioned initial context,.
Optionally, when the mobile management entity of base station reception remote equipment is when the initial context sent after the incidence relation for judging remote equipment and trunking is verified establishes request message, it is that remote equipment establishes contextual information and stores the contextual information of remote equipment that request message is then established according to the initial context received in base station.
Optionally, base station can also establish request message according to the initial context, establish the mapping relations of remote equipment and trunking, to carry out the route transmission of data and signaling for remote equipment.Optionally, further, the mapping relations of remote equipment and trunking include: Data Radio Bearer (the Data Radio Bearer between remote equipment and trunking, DRB mapping relations), and/or the mapping relations of the Signaling Radio Bearer (Signalling Radio Bearers, SRB) between remote equipment and trunking.
Step 2411, base station send the second radio resource control information to trunking.
Optionally, base station is fed back the incidence relation between remote equipment and trunking to trunking by second radio resource control information and is verified.As an example; when the mobile management entity of remote equipment is generated for protecting the key of communication security between remote equipment and trunking; the initial context that base station receives establishes the security parameter comprising the key and generation key in request message, then base station can also be wrapped into the second radio resource control information that trunking is sent The key is included, so that the key that trunking is generated with remote equipment compares, to protect the communication security between remote equipment and trunking.
Step 2412, trunking receive above-mentioned second radio resource control information, allow remote equipment to access network by trunking to be determined according to the second radio resource control information.
Optionally, the second radio resource control information that trunking is sent according to base station, establishes the mapping relations of remote equipment and trunking, to carry out the route transmission of data and signaling for remote equipment.Optionally, further, the mapping relations of the remote equipment and trunking include: the mapping relations of the SRB between the mapping relations and/or remote equipment and trunking of the DRB between remote equipment and trunking.
Optionally, second radio resource control information, comprising: for protecting the key of communication security between the remote equipment and the trunking.Whether trunking is correct using the key of the key authentication remote equipment in this way, to guarantee the communication security between remote equipment and trunking.
Optionally, in the present embodiment, authority checking method, further includes: following steps 2413.
Step 2413, base station send third radio resource control information to remote equipment.
After remote equipment receives the third radio resource control information of base station transmission; remote equipment can generate the key for protecting communication security between remote equipment and trunking according to the third radio resource control information; wherein; third radio resource control information, comprising: security parameter needed for generating key.
Optionally; when security parameter needed for remote equipment receives the generation key; remote equipment can the security parameter according to needed for the generation key received generate a key; remote equipment is based on the signaling and data progress safeguard protection between the subsequent remote equipment of the key pair and trunking; and trunking based between the received key pair remote equipment in base station and trunking signaling and data carry out safety verification, including decryption and/or integrity protection.Wherein, after trunking is successfully authenticated the completeness check of first signaling of remote equipment, trunking confirms success identity remote equipment and remote equipment is allowed to access network by the trunking.Wherein, first signaling of the remote equipment is to be sent to first signaling of trunking after remote equipment generates key.
Authority checking method provided by the embodiments of the present application, trunking generates the first radio resource control information according to the communication request received from remote equipment, first radio resource control information is sent to base station, base station receives the first radio resource control information of the non-access layer information including remote equipment, identify that remote equipment request accesses network by the trunking, and obtain the mark of trunking, the non-access layer information of the mark of trunking and remote equipment is sent to the mobile management entity of remote equipment by original equipment message, the mobile management entity for triggering the remote equipment verifies the incidence relation of remote equipment and trunking according to the original equipment message, and initial context is sent to base station after being verified and establishes request message, request message is established according to the initial context as distal end in base station Equipment establishes contextual information and sends the second radio resource control information to trunking, allows remote equipment to access network by trunking so that trunking be made to be determined according to the second radio resource control information.The technical solution reduces network deployment requirement, reduces network overhead, improves authority checking efficiency.
On the basis of the above embodiments, Figure 25 is the flow diagram of authority checking embodiment of the method 17 provided by the embodiments of the present application.The present embodiment is the detailed description to incidence relation verifying situation is executed in above-mentioned steps 2407 (mobile management entity of remote equipment triggers the verifying to the incidence relation of remote equipment and trunking according to the original equipment message) by the mobile management entity of remote equipment.As shown in figure 25, in authority checking method provided by the embodiments of the present application, above-mentioned steps 2407, comprising:
Step 2501, remote equipment mobile management entity according to the mark of remote equipment obtain authorization relation information.
When incidence relation of the mobile management entity of remote equipment to verify remote equipment and trunking, its contextual information for needing to obtain remote equipment first, and then the trunking list for having authorization relationship with the remote equipment is obtained from the contextual information of remote equipment, that is, authorize relation information.
Optionally, before the mobile management entity of remote equipment receives the original equipment message that base station is sent, the mobile management entity of the remote equipment obtains above-mentioned authorization relation information from user data management entity and/or short distance functional entity according to the mark of remote equipment, and the authorization relation information is stored in the mobile management entity of remote equipment, the mobile management entity of such remote equipment just can be directly obtained acquisition authorization relation information according to the mark of remote equipment.
Optionally, remote equipment authorization relation information relevant to trunking is stored in user data management entity and/or short distance functional entity in network.Authorization relation information relevant to trunking for the remote equipment stored in user data management entity, the mobile management entity of remote equipment directly from user data management entity (such as, home subscriber server (Home Subscriber Server, abbreviation HSS), or, user data management entity (User data manangement, abbreviation UDM) in 5G system) it acquires.And the authorization relation information for being stored in short distance functional entity: when the mobile management entity of remote equipment can be communicated directly with short distance functional entity, there is direct interface between the two, the mobile management entity of remote equipment directly can obtain above-mentioned authorization relation information from short distance functional entity;And when the mobile management entity of remote equipment cannot be communicated directly with short distance functional entity, i.e., direct interface is not present between the two, then the mobile management entity of remote equipment obtains above-mentioned authorization relation information from short distance functional entity by HSS.
Step 2502, remote equipment mobile management entity according to the mark of remote equipment, the mark of trunking and above-mentioned authorization relation information, verify whether that remote equipment is allowed to access network by the trunking.
Wherein, the mark of remote equipment is included in the non-access layer information of remote equipment and/or the mark of remote equipment is included in original equipment message.
Optionally, after the mobile management entity of remote equipment gets the mark, the mark of trunking and authorization relation information of remote equipment, the incidence relation of remote equipment and trunking can be verified.That is, when authorizing the incidence relation comprising remote equipment and trunking in relation information showing that remote equipment is allowed to access network by the trunking, otherwise, the remote equipment is not allowed to access network by the trunking.
Optionally, in the present embodiment, when it includes relay services code that remote equipment, which is sent in the communication request of trunking, when the mobile management entity of remote equipment gets authorization relation information, the mobile management entity of the remote equipment then according to the mark of remote equipment, the mark of trunking, relay services code and authorization relation information, verifies whether that the remote equipment is allowed to access network by trunking.At this point, the authorization relation information is to have the trunking of authorization relationship and the relation list of corresponding relay services code with remote equipment.
Optionally, for the relay services code for characterizing the type of service to be requested of remote equipment, different relay services codes corresponds to different types of service, so, in the present embodiment, when the incidence relation of the mobile management entity verifying remote equipment of remote equipment and trunking, also according to relay services code.
It is worth noting that similar for the realization step for executing incidence relation verifying in above-mentioned steps 2407 by the mobile management entity of trunking or short distance functional entity, details are not described herein again.
Authority checking method provided by the embodiments of the present application, the mobile management entity of remote equipment obtains authorization relation information according to the mark of remote equipment first, and then according to the mark of remote equipment, the mark of trunking and the authorization relation information, verify whether that remote equipment is allowed to access network by trunking.The incidence relation verification method of the technical solution is simple, easy to accomplish.
Figure 26 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application.The device is remotely located in the mobile management entity of equipment, and as shown in figure 26, the device of the present embodiment may include: receiving module 2601, processing module 2602 and sending module 2603.
The receiving module 2601, for receiving the original equipment message of base station transmission, the original equipment message includes: the non-access layer information of remote equipment and the mark of trunking;
The processing module 2602, for triggering the verifying to the incidence relation of the remote equipment and the trunking according to the original equipment message;
The sending module 2603, for sending initial context to base station and establishing request message after judging that the incidence relation is verified.
Optionally, the processing module 2602 is specific, for obtaining authorization relation information according to the mark of the remote equipment, according to the mark of the remote equipment, the mark of the trunking and the authorization relation information, verify whether that the remote equipment is allowed to access network by the trunking;
Wherein, the mark of the remote equipment is included in the non-access layer information of the remote equipment and/or the mark of the remote equipment is included in the original equipment message.
Optionally, the processing module 2602, it is also used to before the original equipment message that the receiving module 2601 receives that base station is sent, the authorization relation information is obtained from user data management entity and/or short distance functional entity according to the mark of the remote equipment, and the authorization relation information is stored in the mobile management entity of remote equipment.
Optionally, the processing module 2602 obtains the Non-Access Stratum contextual information of the remote equipment specifically for the mark according to the remote equipment, and carries out completeness check to the non-access layer information of the remote equipment.
Optionally; the processing module 2602; it is also used to the mark according to the remote equipment, obtains the Non-Access Stratum contextual information of the remote equipment, the key for protecting communication security between the remote equipment and the trunking is generated according to the Non-Access Stratum contextual information;
The sending module 2603, is also used to the key and security parameter needed for generating the key establishes request message by the initial context and is sent to the base station.
Optionally, the sending module 2603, it is also used to send the first checking request message to the mobile management entity of the trunking, so that the mobile management entity of the trunking verifies the incidence relation of the remote equipment and the trunking according to the first checking request message, the first checking request message includes: the mark of the remote equipment and the mark of the trunking.
Optionally; the sending module 2603; it is also used to send secret key request message to security function entity; so that the security function entity is according to the secret key request message; it obtains for security parameter needed for protecting the key of communication security between the remote equipment and the trunking and generating the key; and security parameter needed for the key and the generation key is fed back to the mobile management entity of remote equipment, the secret key request message, comprising: the remote equipment mark.
Authority checking device provided in this embodiment can be used for executing the technical solution of the mobile management entity of remote equipment in embodiment of the method shown in Figure 24 and Figure 25, and specific implementation is similar with technical effect, and which is not described herein again.
Figure 27 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application.The device can be located in base station.As shown in figure 27, the device of the present embodiment may include: receiving module 2701, processing module 2702 and sending module 2703.
Wherein, the receiving module 2701, for receiving the first radio resource control information of trunking transmission, first radio resource control information includes the non-access layer information of remote equipment;
The processing module 2702, for identifying that remote equipment request accesses network by the trunking, obtaining the mark of the trunking according to first radio resource control information;
The sending module 2703, for the non-access layer information of the mark of the trunking and the remote equipment to be sent to the mobile management entity of remote equipment by original equipment message;
The receiving module 2701 is also used to receive the initial context that the mobile management entity of the remote equipment is sent after the incidence relation for judging the remote equipment and the trunking is verified and establishes request message;
The processing module 2702, being also used to establish request message according to the initial context is that the remote equipment establishes contextual information;
The sending module 2703 is also used to send the second radio resource control information to the trunking.
Optionally, the processing module 2702 specifically for obtaining the mark of the trunking from the contextual information of the trunking of base station stored, or obtains the mark of the trunking from first radio resource control information.
Optionally; the receiving module 2701; be also used to receive the mobile management entity transmission of the trunking when the mobile management entity of the remote equipment is generated for protecting the key of communication security between the remote equipment and the trunking is used to protect the key of communication security and security parameter needed for the generation key between the remote equipment and the trunking.
Optionally; the sending module 2703; it is also used to send third radio resource control information to the remote equipment; so that the remote equipment generates the key for protecting communication security between the remote equipment and the trunking according to the third radio resource control information; the third radio resource control information, comprising: security parameter needed for generating the key.
Authority checking device provided in this embodiment can be used for executing the technical solution of base station in embodiment of the method shown in Figure 24, and specific implementation is similar with technical effect, and which is not described herein again.
Figure 28 is the structural schematic diagram of another authority checking device provided by the embodiments of the present application.The device can be located in trunking.As shown in figure 28, the device of the present embodiment may include: receiving module 2801, processing module 2802 and sending module 2803.
Wherein, receiving module 2801, for receiving the communication request of remote equipment transmission;
The processing module 2802, for generating the first radio resource control information according to the communication request;
The sending module 2803, for first radio resource control information to be sent to base station;
The receiving module 2801, being also used to receive the base station is that the remote equipment establishes the second radio resource control information sent after contextual information;
The processing module 2802, being also used to be determined according to second radio resource control information allows the remote equipment to access network by the trunking.
Optionally, the sending module 2803 is also used to the mark of the trunking being sent to the base station by first radio resource control information, so that identification of base stations remote equipment request accesses network by the trunking.
Authority checking device provided in this embodiment can be used for executing the technical solution of trunking in embodiment of the method shown in Figure 24, and specific implementation is similar with technical effect, and which is not described herein again.

Claims (30)

  1. A kind of authority checking method characterized by comprising
    The mobile management entity of remote equipment receives the original equipment message that base station is sent, and the original equipment message includes: the non-access layer information of remote equipment and the mark of trunking;
    The mobile management entity of the remote equipment triggers the verifying to the incidence relation of the remote equipment and the trunking according to the original equipment message;
    The mobile management entity of the remote equipment sends initial context to base station and establishes request message after judging that the incidence relation is verified.
  2. The method according to claim 1, wherein the mobile management entity of the remote equipment triggers the verifying to the incidence relation of the remote equipment and the trunking according to the original equipment message, comprising:
    The mobile management entity of the remote equipment obtains authorization relation information according to the mark of the remote equipment;
    The mobile management entity of the remote equipment according to the mark of the remote equipment, the mark of the trunking and the authorization relation information verifies whether that the remote equipment is allowed to access network by the trunking;
    The mark of the remote equipment is included in the non-access layer information of the remote equipment and/or the mark of the remote equipment is included in the original equipment message.
  3. According to the method for claim 2, it is characterized in that, before the mobile management entity of the remote equipment receives the original equipment message that base station is sent, the mobile management entity of the remote equipment obtains the authorization relation information from user data management entity and/or short distance functional entity according to the mark of the remote equipment, and the authorization relation information is stored in the mobile management entity of the remote equipment.
  4. Method according to claim 1-3, which is characterized in that the mobile management entity of the remote equipment triggers the verifying to the incidence relation of the remote equipment and the trunking according to the original equipment message, comprising:
    The mobile management entity of the remote equipment obtains the Non-Access Stratum contextual information of the remote equipment, and carry out completeness check to the non-access layer information of the remote equipment according to the mark of the remote equipment.
  5. Method according to claim 1-4, which is characterized in that the method also includes:
    The mobile management entity of the remote equipment obtains the Non-Access Stratum contextual information of the remote equipment according to the mark of the remote equipment;
    The mobile management entity of the remote equipment generates the key for protecting communication security between the remote equipment and the trunking according to the Non-Access Stratum contextual information;
    The key is established request message by the initial context and is sent to the base station by the mobile management entity of the remote equipment with security parameter needed for generating the key.
  6. Method according to claim 1-5, which is characterized in that the method also includes:
    The mobile management entity of the remote equipment sends the first checking request message to the mobile management entity of the trunking, so that the mobile management entity of the trunking verifies the incidence relation of the remote equipment and the trunking according to the first checking request message, the first checking request message includes: the mark of the remote equipment and the mark of the trunking.
  7. Method according to claim 1-6, which is characterized in that the method also includes:
    The mobile management entity of the remote equipment sends secret key request message to security function entity, so that the safety Functional entity is according to the secret key request message; it obtains for security parameter needed for protecting the key of communication security between the remote equipment and the trunking and generating the key; and security parameter needed for the key and the generation key is fed back to the mobile management entity of the remote equipment; the secret key request message, comprising: the remote equipment mark.
  8. A kind of authority checking method characterized by comprising
    Base station receives the first radio resource control information that trunking is sent, and first radio resource control information includes the non-access layer information of remote equipment;
    The base station is according to first radio resource control information, identify that remote equipment request accesses network by the trunking, the mark of the trunking is obtained, and the non-access layer information of the mark of the trunking and the remote equipment is sent to the mobile management entity of remote equipment by original equipment message;
    The initial context that the mobile management entity that the base station receives the remote equipment is sent after the incidence relation for judging the remote equipment and the trunking is verified establishes request message;
    It is that the remote equipment establishes contextual information, and sends the second radio resource control information to the trunking that request message is established according to the initial context in the base station.
  9. According to the method described in claim 8, it is characterized in that, the base station obtains the mark of the trunking, comprising:
    The base station obtains the mark of the trunking from the mark or the base station for obtaining the trunking in the contextual information of the trunking of the base station stored from first radio resource control information.
  10. Method according to claim 8 or claim 9, which is characterized in that
    The mark of the remote equipment is included in the non-access layer information of the remote equipment and/or the mark of the remote equipment is included in the original equipment message.
  11. According to the described in any item methods of claim 8-10, which is characterized in that the method, further includes:
    Request message is established according to the initial context in the base station, establishes the mapping relations of the remote equipment and the trunking.
  12. According to the described in any item methods of claim 8-11, which is characterized in that when the mobile management entity of the remote equipment is generated for protecting the key of communication security between the remote equipment and the trunking, the method also includes:
    What the mobile management entity that the base station receives the trunking was sent is used to protect the key of communication security and security parameter needed for the generation key between the remote equipment and the trunking.
  13. According to the described in any item methods of claim 8-12, which is characterized in that the method, further includes:
    The base station sends third radio resource control information to the remote equipment; so that the remote equipment generates the key for protecting communication security between the remote equipment and the trunking according to the third radio resource control information; the third radio resource control information, comprising: security parameter needed for generating the key.
  14. A kind of authority checking method characterized by comprising
    Trunking receives the communication request that remote equipment is sent;
    The trunking generates the first radio resource control information according to the communication request, and first radio resource control information is sent to base station;
    It is that the remote equipment establishes the second radio resource control information sent after contextual information that the trunking, which receives the base station, allows the remote equipment to access network by the trunking to be determined according to second radio resource control information.
  15. According to the method for claim 14, which is characterized in that further include:
    The mark of the trunking is sent to the base station by first radio resource control information by the trunking, so that identification of base stations remote equipment request accesses network by the trunking.
  16. Method according to claim 14 or 15, which is characterized in that the method, further includes:
    Second radio resource control information that the trunking is sent according to the base station, establishes the mapping relations of the remote equipment and the trunking.
  17. The described in any item methods of 4-16 according to claim 1, which is characterized in that second radio resource control information, comprising: for protecting the key of communication security between the remote equipment and the trunking.
  18. A kind of authority checking device characterized by comprising
    Receiving module, for receiving the original equipment message of base station transmission, the original equipment message includes: the non-access layer information of remote equipment and the mark of trunking;
    Processing module, for triggering the verifying to the incidence relation of the remote equipment and the trunking according to the original equipment message;
    Sending module, for sending initial context to base station and establishing request message after judging that the incidence relation is verified.
  19. Device according to claim 18, it is characterized in that, the processing module is specific, for obtaining authorization relation information according to the mark of the remote equipment, according to the mark of the remote equipment, the mark of the trunking and the authorization relation information, verify whether that the remote equipment is allowed to access network by the trunking;
    Wherein, the mark of the remote equipment is included in the non-access layer information of the remote equipment and/or the mark of the remote equipment is included in the original equipment message.
  20. Device according to claim 19, it is characterized in that, the processing module, it is also used to before the original equipment message that the receiving module receives that base station is sent, the authorization relation information is obtained from user data management entity and/or short distance functional entity according to the mark of the remote equipment, and the authorization relation information is stored in the mobile management entity of remote equipment.
  21. The described in any item devices of 8-20 according to claim 1, it is characterized in that, the processing module, specifically for the mark according to the remote equipment, the Non-Access Stratum contextual information of the remote equipment is obtained, and completeness check is carried out to the non-access layer information of the remote equipment.
  22. The described in any item devices of 8-21 according to claim 1; it is characterized in that; the processing module; it is also used to the mark according to the remote equipment; the Non-Access Stratum contextual information for obtaining the remote equipment generates the key for protecting communication security between the remote equipment and the trunking according to the Non-Access Stratum contextual information;
    The sending module, is also used to the key and security parameter needed for generating the key establishes request message by the initial context and is sent to the base station.
  23. The described in any item devices of 8-22 according to claim 1, it is characterized in that, the sending module, it is also used to send the first checking request message to the mobile management entity of the trunking, so that the mobile management entity of the trunking verifies the incidence relation of the remote equipment and the trunking according to the first checking request message, the first checking request message includes: the mark of the remote equipment and the mark of the trunking.
  24. The described in any item devices of 8-23 according to claim 1; it is characterized in that; the sending module; it is also used to send secret key request message to security function entity; so that the security function entity is according to the secret key request message; it obtains for security parameter needed for protecting the key of communication security between the remote equipment and the trunking and generating the key; and security parameter needed for the key and the generation key is fed back to the mobile management entity of remote equipment; the secret key request message, comprising: the remote equipment mark.
  25. A kind of authority checking device characterized by comprising
    Receiving module, for receiving the first radio resource control information of trunking transmission, first radio resource control information includes the non-access layer information of remote equipment;
    Processing module, for identifying that remote equipment request accesses network by the trunking, obtaining the mark of the trunking according to first radio resource control information;
    Sending module, for the non-access layer information of the mark of the trunking and the remote equipment to be sent to the mobile management entity of remote equipment by original equipment message;
    The receiving module is also used to receive the initial context that the mobile management entity of the remote equipment is sent after the incidence relation for judging the remote equipment and the trunking is verified and establishes request message;
    The processing module, being also used to establish request message according to the initial context is that the remote equipment establishes contextual information;
    The sending module is also used to send the second radio resource control information to the trunking.
  26. Device according to claim 25, it is characterized in that, the processing module specifically for obtaining the mark of the trunking from the contextual information of the trunking of base station stored, or obtains the mark of the trunking from first radio resource control information.
  27. The device according to claim 25 or 26; it is characterized in that; the receiving module; be also used to receive the mobile management entity transmission of the trunking when the mobile management entity of the remote equipment is generated for protecting the key of communication security between the remote equipment and the trunking is used to protect the key of communication security and security parameter needed for the generation key between the remote equipment and the trunking.
  28. According to the described in any item devices of claim 25-27; it is characterized in that; the sending module; it is also used to send third radio resource control information to the remote equipment; so that the remote equipment generates the key for protecting communication security between the remote equipment and the trunking according to the third radio resource control information; the third radio resource control information, comprising: security parameter needed for generating the key.
  29. A kind of authority checking device characterized by comprising
    Receiving module, for receiving the communication request of remote equipment transmission;
    Processing module, for generating the first radio resource control information according to the communication request;
    Sending module, for first radio resource control information to be sent to base station;
    The receiving module, being also used to receive the base station is that the remote equipment establishes the second radio resource control information sent after contextual information;
    The processing module, being also used to be determined according to second radio resource control information allows the remote equipment to access network by the trunking.
  30. Device according to claim 29, it is characterized in that, the sending module is also used to the mark of the trunking being sent to the base station by first radio resource control information, so that identification of base stations remote equipment request accesses network by the trunking.
CN201780056351.6A 2017-01-06 2017-03-20 Authorization verification method and device Active CN109716810B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CNPCT/CN2017/070477 2017-01-06
PCT/CN2017/070477 WO2018126452A1 (en) 2017-01-06 2017-01-06 Authorization verification method and device
PCT/CN2017/077271 WO2018126534A1 (en) 2017-01-06 2017-03-20 Authorisation verification method and apparatus

Publications (2)

Publication Number Publication Date
CN109716810A true CN109716810A (en) 2019-05-03
CN109716810B CN109716810B (en) 2020-08-25

Family

ID=62788827

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201780056351.6A Active CN109716810B (en) 2017-01-06 2017-03-20 Authorization verification method and device

Country Status (4)

Country Link
US (1) US20190335332A1 (en)
EP (2) EP3849227A1 (en)
CN (1) CN109716810B (en)
WO (2) WO2018126452A1 (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111404944A (en) * 2020-03-19 2020-07-10 中国电子科技集团公司第三十研究所 Safe UDM/HSS design method and system for realizing main authentication enhancement
CN111414645A (en) * 2020-03-19 2020-07-14 中国电子科技集团公司第三十研究所 Safe HSS/UDM design method and system for realizing privacy protection function
CN113132334A (en) * 2019-12-31 2021-07-16 华为技术有限公司 Method and device for determining authorization result
CN113179515A (en) * 2020-01-08 2021-07-27 华为技术有限公司 Method and device for verifying relay user equipment
CN113498615A (en) * 2019-08-16 2021-10-12 Oppo广东移动通信有限公司 Communication method, terminal equipment and network equipment
CN113518319A (en) * 2020-04-09 2021-10-19 华为技术有限公司 Service processing method, device and system for proximity service
CN113543135A (en) * 2020-04-13 2021-10-22 华为技术有限公司 Authorization method, policy control function device and access and mobility management function device
CN113873613A (en) * 2020-06-30 2021-12-31 华为技术有限公司 Access control method and related device
WO2022088029A1 (en) * 2020-10-30 2022-05-05 华为技术有限公司 Key acquisition method and communication apparatus
CN114650537A (en) * 2020-12-17 2022-06-21 维沃移动通信有限公司 Credit relay communication method, device, terminal and network side equipment
WO2022170994A1 (en) * 2021-02-10 2022-08-18 大唐移动通信设备有限公司 Pc5 root key processing method and apparatus, and ausf and remote terminal
CN115336303A (en) * 2020-03-31 2022-11-11 华为技术有限公司 Method, device and system for acquiring terminal equipment identifier
WO2023143459A1 (en) * 2022-01-29 2023-08-03 华为技术有限公司 Authorization method and apparatus

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
MX2019008888A (en) * 2017-01-30 2019-10-15 Telefonaktiebolaget LM Ericsson publi Wireless communications.
CN112911583A (en) 2017-07-11 2021-06-04 华为技术有限公司 Equipment access method, equipment and system
WO2019031865A1 (en) * 2017-08-09 2019-02-14 엘지전자 주식회사 Method for performing rrc connection procedure in wireless communication system and apparatus therefor
CN109561429B (en) * 2017-09-25 2020-11-17 华为技术有限公司 Authentication method and device
WO2019240544A1 (en) * 2018-06-14 2019-12-19 Lg Electronics Inc. Method and apparatus for performing sidelink communication by ue in nr v2x
CN114503630A (en) * 2019-10-04 2022-05-13 三星电子株式会社 Method and device for activating 5G user
CN113133085B (en) * 2019-12-30 2022-05-13 华为技术有限公司 Method and communication device for establishing connection and acquiring relay service code
CN113132985A (en) * 2019-12-30 2021-07-16 华为技术有限公司 Communication method and device
US11201958B2 (en) * 2020-01-20 2021-12-14 Ppip, Llc Alternative transport in data communication for mobile device
US11689957B2 (en) * 2020-03-13 2023-06-27 Qualcomm Incorporated Quality of service support for sidelink relay service
US11825330B2 (en) 2020-03-13 2023-11-21 Qualcomm Incorporated Techniques for quality of service support in sidelink communications
CN113596789A (en) 2020-04-30 2021-11-02 维沃移动通信有限公司 Device interaction method and core network device
US20210345104A1 (en) * 2020-05-01 2021-11-04 Qualcomm Incorporated Relay sidelink communications for secure link establishment
WO2022019725A1 (en) * 2020-07-23 2022-01-27 Samsung Electronics Co., Ltd. Methods and systems for identifying ausf and accessing related keys in 5g prose
CA3204772A1 (en) * 2021-01-11 2022-07-14 Yizhuang WU Method, system, and apparatus for generating key for inter-device communication
CN115499890A (en) * 2021-06-18 2022-12-20 华为技术有限公司 Method, device and system for relay communication
CN115996437A (en) * 2021-10-20 2023-04-21 华为技术有限公司 Method and device for relaying communication
CN116866900A (en) * 2022-03-24 2023-10-10 华为技术有限公司 Encryption method and device based on channel secret key
WO2023178689A1 (en) * 2022-03-25 2023-09-28 Oppo广东移动通信有限公司 Security implementation method and apparatus, device, and network element
CN117812590A (en) * 2022-09-30 2024-04-02 华为技术有限公司 Communication method and device, computer readable storage medium and communication system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101931935A (en) * 2009-06-25 2010-12-29 华为技术有限公司 Terminal access method, network equipment and communication system
CN103856927A (en) * 2012-12-05 2014-06-11 电信科学技术研究院 Method, device and communication system for determining proximity relation between user devices
CN104066200A (en) * 2013-03-21 2014-09-24 北京三星通信技术研究有限公司 Method for realizing end-to-end communication among user equipment (UE), and UE
CN104081867A (en) * 2012-01-31 2014-10-01 高通股份有限公司 Providing network-assisted peer-to-peer connection establishment between LTE devices
US20160037385A1 (en) * 2014-01-31 2016-02-04 Telefonaktiebolaget L M Ericsson (Publ) Interference Mitigation of D2D Communications in Different Coverage Scenarios
CN106162803A (en) * 2015-04-02 2016-11-23 中兴通讯股份有限公司 A kind of relaying UE connection control method and device
CN106304036A (en) * 2015-05-19 2017-01-04 华为技术有限公司 A kind of method and apparatus that junction traffic is provided
CN106470382A (en) * 2015-08-14 2017-03-01 中兴通讯股份有限公司 Authority checking method, configuration information method of reseptance, device, base station and terminal

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101500229B (en) * 2008-01-30 2012-05-23 华为技术有限公司 Method for establishing security association and communication network system
CN101902835B (en) * 2009-05-27 2014-09-10 中国移动通信集团公司 Method for identifying relay node, base station, relay node and mobile management entity
CN102595395A (en) * 2011-01-14 2012-07-18 中兴通讯股份有限公司 Relay node authentication method and system
JP5021820B1 (en) * 2011-04-01 2012-09-12 株式会社エヌ・ティ・ティ・ドコモ Mobile communication method and mobility management node
US8934400B2 (en) * 2013-02-22 2015-01-13 General Dynamics C4 Systems, Inc. Apparatus and methods for relay-assisted uplink communication
US8934401B2 (en) * 2013-02-22 2015-01-13 General Dynamics C4 Systems, Inc. Apparatus and methods for relay-assisted uplink communication
US9549348B2 (en) * 2013-12-20 2017-01-17 Telefonaktiebolaget Lm Ericsson (Publ) Restoration of user equipment control in the presence of communication link failure between packet switched and circuit switched controlling nodes
WO2016140507A1 (en) * 2015-03-02 2016-09-09 Samsung Electronics Co., Ltd. Method and apparatus for providing service in wireless communication system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101931935A (en) * 2009-06-25 2010-12-29 华为技术有限公司 Terminal access method, network equipment and communication system
CN104081867A (en) * 2012-01-31 2014-10-01 高通股份有限公司 Providing network-assisted peer-to-peer connection establishment between LTE devices
CN103856927A (en) * 2012-12-05 2014-06-11 电信科学技术研究院 Method, device and communication system for determining proximity relation between user devices
CN104066200A (en) * 2013-03-21 2014-09-24 北京三星通信技术研究有限公司 Method for realizing end-to-end communication among user equipment (UE), and UE
US20160037385A1 (en) * 2014-01-31 2016-02-04 Telefonaktiebolaget L M Ericsson (Publ) Interference Mitigation of D2D Communications in Different Coverage Scenarios
CN106162803A (en) * 2015-04-02 2016-11-23 中兴通讯股份有限公司 A kind of relaying UE connection control method and device
CN106304036A (en) * 2015-05-19 2017-01-04 华为技术有限公司 A kind of method and apparatus that junction traffic is provided
CN106470382A (en) * 2015-08-14 2017-03-01 中兴通讯股份有限公司 Authority checking method, configuration information method of reseptance, device, base station and terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HUAWEI, HISILICON: "The ProSe UE-to-network relay with the network authorization", 《3GPP SA WG2 MEETING #99 S2-133843》 *

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3975592A4 (en) * 2019-08-16 2022-06-22 Guangdong Oppo Mobile Telecommunications Corp., Ltd. Communication method, terminal device and network device
CN113498615A (en) * 2019-08-16 2021-10-12 Oppo广东移动通信有限公司 Communication method, terminal equipment and network equipment
CN113498615B (en) * 2019-08-16 2022-12-20 Oppo广东移动通信有限公司 Communication method, terminal equipment and network equipment
CN113132334A (en) * 2019-12-31 2021-07-16 华为技术有限公司 Method and device for determining authorization result
CN113132334B (en) * 2019-12-31 2022-12-27 华为技术有限公司 Authorization result determination method and device
CN113179515B (en) * 2020-01-08 2023-07-18 华为技术有限公司 Method and device for checking relay user equipment
CN113179515A (en) * 2020-01-08 2021-07-27 华为技术有限公司 Method and device for verifying relay user equipment
CN111404944B (en) * 2020-03-19 2022-03-18 中国电子科技集团公司第三十研究所 Safe UDM/HSS design method and system for realizing main authentication enhancement
CN111404944A (en) * 2020-03-19 2020-07-10 中国电子科技集团公司第三十研究所 Safe UDM/HSS design method and system for realizing main authentication enhancement
CN111414645A (en) * 2020-03-19 2020-07-14 中国电子科技集团公司第三十研究所 Safe HSS/UDM design method and system for realizing privacy protection function
CN115336303A (en) * 2020-03-31 2022-11-11 华为技术有限公司 Method, device and system for acquiring terminal equipment identifier
CN113518319A (en) * 2020-04-09 2021-10-19 华为技术有限公司 Service processing method, device and system for proximity service
CN113518319B (en) * 2020-04-09 2023-03-17 华为技术有限公司 Service processing method, device and system for proximity service
CN113543135A (en) * 2020-04-13 2021-10-22 华为技术有限公司 Authorization method, policy control function device and access and mobility management function device
CN113873613A (en) * 2020-06-30 2021-12-31 华为技术有限公司 Access control method and related device
WO2022088029A1 (en) * 2020-10-30 2022-05-05 华为技术有限公司 Key acquisition method and communication apparatus
CN114650537A (en) * 2020-12-17 2022-06-21 维沃移动通信有限公司 Credit relay communication method, device, terminal and network side equipment
WO2022170994A1 (en) * 2021-02-10 2022-08-18 大唐移动通信设备有限公司 Pc5 root key processing method and apparatus, and ausf and remote terminal
WO2023143459A1 (en) * 2022-01-29 2023-08-03 华为技术有限公司 Authorization method and apparatus

Also Published As

Publication number Publication date
EP3557898A4 (en) 2019-10-30
EP3557898A1 (en) 2019-10-23
EP3557898B1 (en) 2020-11-25
WO2018126534A1 (en) 2018-07-12
US20190335332A1 (en) 2019-10-31
EP3849227A1 (en) 2021-07-14
WO2018126452A1 (en) 2018-07-12
CN109716810B (en) 2020-08-25

Similar Documents

Publication Publication Date Title
CN109716810A (en) Authority checking method and apparatus
CN110798833B (en) Method and device for verifying user equipment identification in authentication process
US10341859B2 (en) Method and device of generating a key for device-to-device communication between a first user equipment and a second user equipment
WO2019019736A1 (en) Security implementation method, and related apparatus and system
CN108293223B (en) Data transmission method, user equipment and network side equipment
CN102905265B (en) A kind of method and device realizing mobile device attachment
CN109922474B (en) Method for triggering network authentication and related equipment
US20150121490A1 (en) Key derivation method and apparatus for local access under control of a cellular network
CN109121469A (en) The system and method for equipment identification and authentication
US20130189955A1 (en) Method for context establishment in telecommunication networks
CN113382404B (en) Method and equipment for acquiring UE security capability
US10904756B2 (en) Authentication for next generation systems
CN113055879B (en) User identification access method and communication device
CN113784343A (en) Method and apparatus for securing communications
CN109417490A (en) A kind of access control method and device
CN110073681B (en) Method, apparatus and computer readable medium for internet of things device
US20180097807A1 (en) Method and apparatus for performing initial access procedure based on authentication in wireless communication system
CN115412911A (en) Authentication method, communication device and system
CN113518475A (en) Communication method, device and system
WO2023004683A1 (en) Communication method, apparatus, and device
CN114642014B (en) Communication method, device and equipment
CN111866870B (en) Key management method and device
CN116528234B (en) Virtual machine security and credibility verification method and device
US20220393877A1 (en) Cryptographic Security Mechanism for Groupcast Communication
US20170318552A1 (en) Method of attaching a user equipment to a base station of a telecommunications system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant